The create action uses the message params method to safely collect data from the form and update the database.
What does it mean by "safely"? How could this have been designed in an unsafe way?
If the server accepted any data you sent it, you would be able to send in database queries (for example). Those could be a serious problem, especially if you were storing password hashes or other sensitive information on your server, because then malicious people could get it easily.
In what circumstance would if @message.save return false?
There’s a series of callbacks associated with
save. If any of the
before_* callbacks return
false the action is cancelled and
For example, maybe if you specified that a certain field couldn't be empty (empty fields are allowed by default, which is why you didn't get an error), or had a minimum length, and the data didn't meet those criteria, then
save would return
Why is :message required in the message_params function but :content is only permitted?
See this Stack Overflow answer and this documentation page.
require will throw an error if it's missing, but
permit doesn't care if it's fields are missing.
permit's job is to weed out all of the fields that aren't allowed, such as if you tried to submit a title with your message somehow.
I hope this helps, please let me know if you have any more questions!