Read more

Whitelist Carrierwave attributes correctly

Henning Koch
November 28, 2013Software engineer at makandra GmbH

Say you have a User with a Carrierwave attribute #avatar:

class User < ActiveRecord::Base
  mount_uploader :avatar, AvatarUploader
end
Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more Show archive.org snapshot

When whitelisting the avatar field in the controller, you might do this:

params[:user].permit(:avatar)

But you probably want this:

params[:user].permit(:avatar, :avatar_cache, :remove_avatar)

In this example:

  • :avatar_cache allows a newly upload image to persist through form roundtrips in the case of validation errors (something that isn't possible with Paperclip).
  • :remove_avatar is the name of a check box that would delete the avatar. Note that if your Carrierwave image is held by a record that only exists to hold an image (e. g. Image and Image#file, you probably want to destroy the entire record instead of leaving an empty shell behind.
Posted by Henning Koch to makandra dev (2013-11-28 17:00)