我的书签
添加书签
移除书签Parameters are taken from the Rack env and passed as an argument to #call. They are similar to a Ruby Hash, but they offer an expanded set of features.
Sources
Params can come from:
- Router variables (eg.
/books/:id) - Query string (eg.
/books?title=Hanami) - Request body (eg. a
POSTrequest to/books)
Access
To access the value of a param, we can use the subscriber operator #[].
# apps/web/controllers/dashboard/index.rbmodule Webmodule Controllersmodule Dashboardclass Indexinclude Web::Actiondef call(params)self.body = "Query string: #{ params[:q] }"endendendendend
If we visit /dashboard?q=foo, we should see Query string: foo.
Symbol Access
Params and nested params can be referenced only via symbols.
params[:q]params[:book][:title]
Now, what happens if the parameter :book is missing from the request? Because params[:book] is nil, we can’t access :title. In this case Ruby will raise a NoMethodError.
We have a safe solution for our problem: #get. It accepts a list of symbols, where each symbol represents a level in our nested structure.
params.get(:book, :title) # => "Hanami"params.get(:unknown, :nested, :param) # => nil instead of NoMethodError
Whitelisting
In order to show how whitelisting works, let’s create a new action:
bundle exec hanami generate action web signup#create
We want to provide self-registration for our users. We build a HTML form which posts to an action that accepts the payload and stores it in the users table. That table has a boolean column admin to indicate whether a person has administration permissions.
A malicious user can exploit this scenario by sending this extra parameter to our application, thereby making themselves an administrator.
We can easily fix this problem by filtering the allowed parameters that are permitted inside our application. Please always remember that params represent untrusted input.
We use .params to map the structure of the (nested) parameters.
# apps/web/controllers/signup/create.rbmodule Web::Controllers::Signupclass Createinclude Web::Actionparams dorequired(:email).filledrequired(:password).filledrequired(:address).schema dorequired(:country).filledendenddef call(params)puts params[:email] # => "alice@example.org"puts params[:password] # => "secret"puts params[:address][:country] # => "Italy"puts params[:admin] # => nilendendend
Even if admin is sent inside the body of the request, it isn’t accessible from params.
Validations & Coercion
Use Cases
In our example (called “Signup”), we want to make password a required param.
Imagine we introduce a second feature: “Invitations”. An existing user can ask someone to join. Because the invitee will decide a password later on, we want to persist that User record without that value.
If we put password validation in User, we need to handle these two use cases with a conditional. But in the long term this approach is painful from a maintenance perspective.
# Example of poor style for validationsclass Userattribute :password, presence: { if: :password_required? }privatedef password_required?!invited_user? && !admin_password_reset?endend
We can see validations as the set of rules for data correctness that we want for a specific use case. For us, a User can be persisted with or without a password, depending on the workflow and the route through which the User is persisted.
Boundaries
The second important aspect is that we use validations to prevent invalid inputs to propagate in our system. In an MVC architecture, the model layer is the farthest from the input. It’s expensive to check the data right before we create a record in the database.
If we consider correct data as a precondition before starting our workflow, we should stop unacceptable inputs as soon as possible.
Think of the following method. We don’t want to continue if the data is invalid.
def expensive_computation(argument)return if argument.nil?# ...end
Usage
We can coerce the Ruby type, validate if a param is required, determine if it is within a range of values, etc..
# apps/web/controllers/signup/create.rbmodule Webmodule Controllersmodule Signupclass Createinclude Web::ActionMEGABYTE = 1024 ** 2params dorequired(:name).filled(:str?)required(:email).filled(:str?, format?: /@/).confirmationrequired(:password).filled(:str?).confirmationrequired(:terms_of_service).filled(:bool?)required(:age).filled(:int?, included_in?: 18..99)optional(:avatar).filled(size?: 1..(MEGABYTE * 3))enddef call(params)if params.valid?# ...else# ...endendendendendend
Parameter validations are delegated, under the hood, to Hanami::Validations. Please check the related documentation for a complete list of options and how to share code between validations.
Concrete Classes
The params DSL is really quick and intuitive but it has the drawback that it can be visually noisy and makes it hard to unit test. An alternative is to extract a class and pass it as an argument to .params.
# apps/web/controllers/signup/my_params.rbmodule Webmodule Controllersmodule Signupclass MyParams < Web::Action::ParamsMEGABYTE = 1024 ** 2params dorequired(:name).filled(:str?)required(:email).filled(:str?, format?: /@/).confirmationrequired(:password).filled(:str?).confirmationrequired(:terms_of_service).filled(:bool?)required(:age).filled(:int?, included_in?: 18..99)optional(:avatar).filled(size?: 1..(MEGABYTE * 3)endendendendend
# apps/web/controllers/signup/create.rbrequire_relative './my_params'module Webmodule Controllersmodule Signupclass Createinclude Web::Actionparams MyParamsdef call(params)if params.valid?# ...else# ...endendendendendend
Inline predicates
In case there is a predicate that is needed only for the current params, you can define inline predicates:
# apps/web/controllers/books/create.rbmodule Webmodule Controllersmodule Booksclass Createinclude Web::Actionparams Class.new(Hanami::Action::Params) {predicate(:cool?, message: "is not cool") do |current|current.match(/cool/)endvalidations dorequired(:book).schema dorequired(:title) { filled? & str? & cool? }endend}def call(params)if params.valid?self.body = 'OK'elseself.body = params.error_messages.join("\n")endendendendendend
Body Parsers
Rack ignores request bodies unless they come from a form submission. If we have a JSON endpoint, the payload isn’t available in params.
# apps/web/controllers/books/create.rbmodule Webmodule Controllersmodule Booksclass Createinclude Web::Actionaccept :jsondef call(params)puts params.to_h # => {}endendendendend
$ curl http://localhost:2300/books \-H "Content-Type: application/json" \-H "Accept: application/json" \-d '{"book":{"title":"Hanami"}}' \-X POST
In order to make book payload available in params, we should enable this feature:
# config/environment.rbrequire "hanami/middleware/body_parser"Hanami.configure do# ...middleware.use Hanami::Middleware::BodyParser, :jsonend
Now params.get(:book, :title) returns "Hanami".
In case there is no suitable body parser for your format in Hanami, it is possible to declare a new one:
# lib/foo_parser.rbclass FooParserdef mime_types['application/foo']enddef parse(body)# manually parse bodyendend
and subsequently register it:
# config/environment.rbrequire "hanami/middleware/body_parser"Hanami.configure do# ...middleware.use Hanami::Middleware::BodyParser, FooParser.newend
