Read more

Whitelist Carrierwave attributes correctly

Henning Koch
November 28, 2013Software engineer at makandra GmbH

Say you have a User with a Carrierwave attribute #avatar:

class User < ActiveRecord::Base
  mount_uploader :avatar, AvatarUploader
end
Illustration UI/UX Design

UI/UX Design by makandra brand

We make sure that your target audience has the best possible experience with your digital product. You get:

  • Design tailored to your audience
  • Proven processes customized to your needs
  • An expert team of experienced designers
Read more Show archive.org snapshot

When whitelisting the avatar field in the controller, you might do this:

params[:user].permit(:avatar)

But you probably want this:

params[:user].permit(:avatar, :avatar_cache, :remove_avatar)

In this example:

  • :avatar_cache allows a newly upload image to persist through form roundtrips in the case of validation errors (something that isn't possible with Paperclip).
  • :remove_avatar is the name of a check box that would delete the avatar. Note that if your Carrierwave image is held by a record that only exists to hold an image (e. g. Image and Image#file, you probably want to destroy the entire record instead of leaving an empty shell behind.
Posted by Henning Koch to makandra dev (2013-11-28 17:00)