This plugin provides two class methods on ActiveController::Base
that filter the params
hash for that controller’s actions. You can think of them as the controller analog of attr_protected
and attr_accessible
.
gem install param_protected -v "~> 1.0.0"
gem "param_protected", "~> 2.0.0"
Thanks to jonleighton for the Rails 3 port.
gem "param_protected", "~> 3.0.0"
Thanks to gucki for the Rails 3.1 port.
gem "param_protected", "~> 4.0.0"
class YourController < ActiveController::Base param_protected <param_name> <options> param_accessible <param_name> <options> ... end
param_name
can be a String, Symbol, or Array of Strings and/or Symbols.
options
is a Hash that has one of two keys: :only
or :except
. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.
Any of these combinations should work.
param_protected :client_id param_protected [:client_id, :user_id] param_protected :client_id, :only => 'my_action' param_protected :client_id, :except => [:your_action, :my_action]
Any of these combinations should work.
param_accessible :client_id param_accessible :[:client_id, :user_id] param_accessible :client_id, :only => 'my_action' param_accessible :client_id, :except => [:your_action, :my_action]
You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find
‘s :include
argument works.
param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }] param_protected [:id, :password, { :user => [:id, :password] }]
If you call param_protected
or param_accessible
multiple times for an action or actions, then the protections will be merged. For example…
param_protected [:id, :user], :only => :some_action param_protected [{ :user => [:first, :last] }, :password], :only => :some_action
Is equivalent to saying…
param_protected [:id, { :user => [:first, :last] }, :password], :only => :some_action
Credit: Moritz Heidkamp
Param protections will be inherited to derived controllers.
Credit: Moritz Heidkamp
You can conditionally protect params…
param_protected :admin, :unless => "user_is_admin?" param_accessible :admin, :if => :user_is_admin? param_protected :admin, :unless => Proc.new{ |controller| controller.user_is_admin? }
Credit: Mortiz Heidkamp
You can use regular expressions when specifying which params to make protected or accessible.
param_accessible /item\d/
Credit: Mortiz Heidkamp
It does an alias_method_chain
on ActionController::Base#params
that filters (and caches) the params. You can get the unfiltered, pristine params by calling ActionController::Base#params_without_protection
.
Christopher J. Bottaro - cjbottaro
Moritz Heidkamp - DerGuteMoritz
Jon Leighton - jonleighton
Corin Langosch - gucki