This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller's actions. You can think of them as the controller analog of attr_protected and attr_accessible.


Rails 2.3.x

gem install param_protected -v "~> 1.0.0"

Rails 3.0.x

gem "param_protected", "~> 2.0.0"

Thanks to jonleighton for the Rails 3 port.

Rails 3.1.x

gem "param_protected", "~> 3.0.0"

Thanks to gucki for the Rails 3.1 port.


class YourController < ActiveController::Base
  param_protected <param_name> <options>
  param_accessible <param_name> <options>


param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.


Any of these combinations should work.

param_protected :client_id
param_protected [:client_id, :user_id]
param_protected :client_id, :only => 'my_action'
param_protected :client_id, :except => [:your_action, :my_action]


Any of these combinations should work.

param_accessible :client_id
param_accessible :[:client_id, :user_id]
param_accessible :client_id, :only => 'my_action'
param_accessible :client_id, :except => [:your_action, :my_action]

Nested Params

You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find's :include argument works.

param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }]
param_protected [:id, :password, { :user => [:id, :password] }]


If you call param_protected or param_accessible multiple times for an action or actions, then the protections will be merged. For example…

param_protected [:id, :user], :only => :some_action
param_protected [{ :user => [:first, :last] }, :password], :only => :some_action

Is equivalent to saying…

param_protected [:id, { :user => [:first, :last] }, :password], :only => :some_action

Credit: Moritz Heidkamp


Param protections will be inherited to derived controllers.

Credit: Moritz Heidkamp


You can conditionally protect params…

param_protected :admin, :unless => "user_is_admin?"
param_accessible :admin, :if => :user_is_admin?
param_protected :admin, :unless =>{ |controller| controller.user_is_admin? }

Credit: Mortiz Heidkamp

Regular Expressions

You can use regular expressions when specifying which params to make protected or accessible.

param_accessible /item\d/

Credit: Mortiz Heidkamp

How does it work?

It does an alias_method_chain on ActionController::Base#params that filters (and caches) the params. You can get the unfiltered, pristine params by calling ActionController::Base#params_without_protection.

Original Author

Christopher J. Bottaro - cjbottaro


Moritz Heidkamp - DerGuteMoritz

Jon Leighton - jonleighton

Corin Langosch - gucki