Rails Action Controller Patterns
Master Action Controller patterns for building robust Rails controllers with proper routing, filters, parameter handling, and RESTful design.
Overview
Action Controller is the component that handles web requests in Rails. It processes incoming requests, interacts with models, and renders responses. Controllers follow the MVC pattern and implement REST conventions by default.
Installation and Setup
Generating Controllers
Generate a resource controller
rails generate controller Posts index show new create edit update destroy
Generate a namespaced controller
rails generate controller Admin::Posts index show
Generate an API-only controller
rails generate controller Api::V1::Posts --no-helper --no-assets
Routing Configuration
config/routes.rb
Rails.application.routes.draw do
RESTful resources
resources :posts
Nested resources
resources :posts do resources :comments end
Namespaced routes
namespace :admin do resources :posts end
Custom routes
get 'about', to: 'pages#about' root 'posts#index' end
Core Patterns
- Basic Controller Structure
app/controllers/posts_controller.rb
class PostsController < ApplicationController before_action :authenticate_user!, except: [:index, :show] before_action :set_post, only: [:show, :edit, :update, :destroy] before_action :authorize_post, only: [:edit, :update, :destroy]
GET /posts
def index @posts = Post.includes(:user) .order(created_at: :desc) .page(params[:page]) end
GET /posts/:id
def show @comments = @post.comments.includes(:user) end
GET /posts/new
def new @post = Post.new end
POST /posts
def create @post = current_user.posts.build(post_params)
if @post.save
redirect_to @post, notice: 'Post was successfully created.'
else
render :new, status: :unprocessable_entity
end
end
GET /posts/:id/edit
def edit end
PATCH/PUT /posts/:id
def update if @post.update(post_params) redirect_to @post, notice: 'Post was successfully updated.' else render :edit, status: :unprocessable_entity end end
DELETE /posts/:id
def destroy @post.destroy redirect_to posts_url, notice: 'Post was successfully deleted.' end
private
def set_post @post = Post.find(params[:id]) end
def authorize_post unless @post.user == current_user redirect_to posts_path, alert: 'Not authorized' end end
def post_params params.require(:post).permit(:title, :body, :status, tag_ids: []) end end
- Strong Parameters
app/controllers/users_controller.rb
class UsersController < ApplicationController
Basic strong parameters
def user_params params.require(:user).permit(:name, :email, :password) end
Nested attributes
def user_params_with_profile params.require(:user).permit( :name, :email, profile_attributes: [:bio, :avatar, :website] ) end
Arrays of permitted attributes
def post_params params.require(:post).permit( :title, :body, tag_ids: [], images: [] ) end
Conditional parameters
def user_params permitted = [:name, :email] permitted << :admin if current_user.admin? params.require(:user).permit(*permitted) end
Deep nested attributes
def organization_params params.require(:organization).permit( :name, departments_attributes: [ :id, :name, :_destroy, employees_attributes: [:id, :name, :role, :_destroy] ] ) end
JSON parameters
def config_params params.require(:config).permit( settings: [:theme, :notifications, :language], preferences: {} ) end end
- Filters and Callbacks
app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
Before filters
before_action :authenticate_user! before_action :configure_permitted_parameters, if: :devise_controller? before_action :set_time_zone, if: :user_signed_in?
After filters
after_action :log_activity after_action :set_cache_headers
Around filters
around_action :measure_action_time
private
def configure_permitted_parameters devise_parameter_sanitizer.permit(:sign_up, keys: [:name]) end
def set_time_zone Time.zone = current_user.time_zone end
def log_activity ActivityLogger.log(controller_name, action_name, current_user) end
def set_cache_headers response.headers['Cache-Control'] = 'no-cache, no-store' end
def measure_action_time start = Time.current yield duration = Time.current - start Rails.logger.info "Action took #{duration}s" end end
app/controllers/posts_controller.rb
class PostsController < ApplicationController skip_before_action :authenticate_user!, only: [:index, :show] before_action :set_post, only: [:show, :edit, :update] before_action :verify_ownership, only: [:edit, :update]
prepend_before_action :load_categories append_before_action :track_view, only: [:show]
private
def verify_ownership redirect_to root_path unless @post.user == current_user end
def load_categories @categories = Category.all end
def track_view @post.increment!(:views_count) end end
- RESTful Conventions
config/routes.rb
Rails.application.routes.draw do resources :posts do # Collection routes (no ID) collection do get :drafts get :search end
# Member routes (with ID)
member do
post :publish
patch :archive
end
# Nested resources
resources :comments, only: [:create, :destroy]
end
Shallow nesting
resources :authors do resources :books, shallow: true end
Only/except options
resources :users, only: [:index, :show] resources :sessions, except: [:edit, :update]
Custom resource names
resources :posts, path: 'articles' end
app/controllers/posts_controller.rb
class PostsController < ApplicationController
GET /posts/drafts
def drafts @posts = current_user.posts.draft render :index end
GET /posts/search
def search @posts = Post.search(params[:q]) render :index end
POST /posts/:id/publish
def publish @post = Post.find(params[:id]) if @post.publish! redirect_to @post, notice: 'Post published' else redirect_to @post, alert: 'Could not publish post' end end end
- Rendering Responses
app/controllers/posts_controller.rb
class PostsController < ApplicationController def show @post = Post.find(params[:id])
respond_to do |format|
format.html # Renders show.html.erb by default
format.json { render json: @post }
format.xml { render xml: @post }
format.pdf { render pdf: @post }
end
end
def create @post = Post.new(post_params)
if @post.save
# Redirect to a URL
redirect_to @post, notice: 'Created'
# Redirect back with fallback
redirect_back fallback_location: root_path, notice: 'Created'
else
# Render a template with status
render :new, status: :unprocessable_entity
end
end
def export # Render text render plain: 'Export complete'
# Render JSON with status
render json: { status: 'ok' }, status: :ok
# Render nothing
head :no_content
# Render file
send_file '/path/to/file.pdf',
filename: 'document.pdf',
type: 'application/pdf',
disposition: 'attachment'
# Stream file
send_data generate_csv, filename: 'report.csv',
type: 'text/csv',
disposition: 'inline'
end
def partial_update # Render partial render partial: 'post', locals: { post: @post }
# Render collection
render partial: 'post', collection: @posts
# Render with layout
render 'special_layout', layout: 'admin'
# Render without layout
render layout: false
end end
- Error Handling
app/controllers/application_controller.rb
class ApplicationController < ActionController::Base rescue_from ActiveRecord::RecordNotFound, with: :not_found rescue_from ActiveRecord::RecordInvalid, with: :unprocessable_entity rescue_from ActionController::ParameterMissing, with: :bad_request rescue_from Pundit::NotAuthorizedError, with: :forbidden
private
def not_found(exception) respond_to do |format| format.html { render 'errors/404', status: :not_found } format.json { render json: { error: exception.message }, status: :not_found } end end
def unprocessable_entity(exception) render json: { errors: exception.record.errors }, status: :unprocessable_entity end
def bad_request(exception) render json: { error: exception.message }, status: :bad_request end
def forbidden respond_to do |format| format.html { render 'errors/403', status: :forbidden } format.json { render json: { error: 'Forbidden' }, status: :forbidden } end end end
- Session and Cookie Management
app/controllers/sessions_controller.rb
class SessionsController < ApplicationController def create user = User.find_by(email: params[:email])
if user&.authenticate(params[:password])
# Set session
session[:user_id] = user.id
# Set signed cookie
cookies.signed[:user_id] = user.id
# Set encrypted cookie
cookies.encrypted[:user_token] = user.token
# Set permanent cookie (20 years)
cookies.permanent[:remember_token] = user.remember_token
# Set cookie with options
cookies[:preference] = {
value: 'dark_mode',
expires: 1.year.from_now,
domain: '.example.com',
secure: Rails.env.production?,
httponly: true
}
redirect_to root_path
else
flash.now[:alert] = 'Invalid credentials'
render :new
end
end
def destroy # Clear session session.delete(:user_id) reset_session
# Clear cookies
cookies.delete(:user_id)
cookies.delete(:remember_token)
redirect_to login_path
end end
app/controllers/application_controller.rb
class ApplicationController < ActionController::Base private
def current_user @current_user ||= User.find_by(id: session[:user_id]) end
def user_signed_in? current_user.present? end
helper_method :current_user, :user_signed_in? end
- Flash Messages
app/controllers/posts_controller.rb
class PostsController < ApplicationController def create @post = Post.new(post_params)
if @post.save
# Standard flash
flash[:notice] = 'Post created'
redirect_to @post
# Flash with redirect
redirect_to @post, notice: 'Post created'
# Multiple flash types
flash[:success] = 'Operation succeeded'
flash[:error] = 'Something went wrong'
flash[:warning] = 'Be careful'
flash[:info] = 'FYI'
# Flash.now for render (not redirect)
flash.now[:alert] = 'Validation failed'
render :new
end
end
def update if @post.update(post_params) # Flash with custom key flash[:custom_message] = 'Custom notification' redirect_to @post else # Keep flash for next request flash.keep redirect_to edit_post_path(@post) end end end
app/views/layouts/application.html.erb
<%# Display all flash messages %> <% flash.each do |type, message| %> <div class="flash <%= type %>"> <%= message %> </div> <% end %>
- API Controllers
app/controllers/api/v1/base_controller.rb
module Api module V1 class BaseController < ActionController::API include ActionController::HttpAuthentication::Token::ControllerMethods
before_action :authenticate
rescue_from ActiveRecord::RecordNotFound do |e|
render json: { error: e.message }, status: :not_found
end
private
def authenticate
authenticate_or_request_with_http_token do |token, options|
@current_user = User.find_by(api_token: token)
end
end
def current_user
@current_user
end
end
end end
app/controllers/api/v1/posts_controller.rb
module Api module V1 class PostsController < BaseController def index @posts = Post.page(params[:page]).per(20)
render json: @posts,
meta: pagination_meta(@posts),
status: :ok
end
def show
@post = Post.find(params[:id])
render json: @post, status: :ok
end
def create
@post = current_user.posts.build(post_params)
if @post.save
render json: @post, status: :created, location: api_v1_post_url(@post)
else
render json: { errors: @post.errors },
status: :unprocessable_entity
end
end
def update
@post = current_user.posts.find(params[:id])
if @post.update(post_params)
render json: @post, status: :ok
else
render json: { errors: @post.errors },
status: :unprocessable_entity
end
end
def destroy
@post = current_user.posts.find(params[:id])
@post.destroy
head :no_content
end
private
def post_params
params.require(:post).permit(:title, :body, :status)
end
def pagination_meta(collection)
{
current_page: collection.current_page,
total_pages: collection.total_pages,
total_count: collection.total_count
}
end
end
end end
- Streaming Responses
app/controllers/reports_controller.rb
class ReportsController < ApplicationController include ActionController::Live
def export response.headers['Content-Type'] = 'text/csv' response.headers['Content-Disposition'] = 'attachment; filename="report.csv"'
# Stream CSV data
User.find_each do |user|
response.stream.write "#{user.id},#{user.name},#{user.email}\n"
end
ensure response.stream.close end
def events # Server-sent events response.headers['Content-Type'] = 'text/event-stream' response.headers['Cache-Control'] = 'no-cache'
10.times do |i|
response.stream.write "data: #{i}\n\n"
sleep 1
end
ensure response.stream.close end end
Best Practices
-
Follow REST conventions - Use standard CRUD actions when possible
-
Keep controllers thin - Move business logic to models/services
-
Use strong parameters - Always sanitize input parameters
-
Handle errors gracefully - Implement proper error handling
-
Use before_action - DRY up common operations with filters
-
Return proper status codes - Use semantic HTTP status codes
-
Implement proper authentication - Secure your controllers
-
Use respond_to for multiple formats - Support HTML, JSON, etc.
-
Leverage flash messages - Provide user feedback
-
Version your APIs - Use namespacing for API versions
Common Pitfalls
-
Fat controllers - Putting too much logic in controllers
-
Missing CSRF protection - Not using authenticity tokens
-
Weak parameters - Permitting too many or wrong parameters
-
No error handling - Not rescuing exceptions
-
Missing authorization - Not checking user permissions
-
Inconsistent responses - Different status codes for same scenarios
-
Session bloat - Storing too much data in session
-
Missing before_action - Duplicating code across actions
-
Incorrect redirects - Redirecting when rendering is needed
-
No rate limiting - APIs without throttling
When to Use
-
Building web applications with Rails
-
Creating RESTful APIs
-
Implementing MVC pattern
-
Handling HTTP requests and responses
-
Building admin interfaces
-
Creating CRUD interfaces
-
Implementing authentication flows
-
Building multi-tenant applications
-
Creating webhooks and callbacks
-
Developing content management systems
Resources
-
Action Controller Overview
-
Rails Routing Guide
-
Strong Parameters
-
Rails API Documentation
-
RESTful Web Services