merb-param-protection

This plugin exposes three new controller methods which allow us to simply and flexibly filter the parameters available within the controller.

Setup: The request sets:

params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }

Example 1: params_accessable
MyController < Application
  params_accessible :post => [:title, :body]
end

params.inspect # => { :post => { :title => "ello", :body => "Want it" } }

So we see that params_accessible removes everything except what is explictly specified.

Example 2: params_protected
MyOtherController < Application
  params_protected :post => [:status, :author_id]
end

params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }

We also see that params_protected removes ONLY those parameters explicitly specified.

Sometimes you have certain post parameters that are best left unlogged, we support that too. Your actions continue to receive the variable correctly, but the requested parameters are scrubbed at log time.

MySuperDuperController < Application
  log_params_filtered :password
end

params.inspect # => { :username => 'atmos', :password => '[FILTERED]' }