Strong Parameters
With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you’ll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn’t be exposed.
In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
class PeopleController < ActionController::Base
# This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
# without an explicit permit step.
def create
Person.create(params[:person])
end
# This will pass with flying colors as long as there's a person key in the parameters, otherwise
# it'll raise a ActionController::MissingParameter exception, which will get caught by
# ActionController::Base and turned into that 400 Bad Request reply.
def update
redirect_to current_account.people.find(params[:id]).tap { |person|
person.update_attributes!(person_params)
}
end
private
# Using a private method to encapsulate the permissible parameters is just a good pattern
# since you'll be able to reuse the same permit list between create and update. Also, you
# can specialize this method with per-user checking of permissible attributes.
def person_params
params.require(:person).permit(:name, :age)
end
end
You can also use permit on nested parameters, like:
params.permit(:name, friends: [ :name, { family: [ :name ] }])
Thanks to Nick Kallen for the permit idea!
Handling of Unpermitted Keys
By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.
Additionally, this behaviour can be changed by changing the ActionController::Parameters.action_on_unpermitted_parameters
property in your initializer. If set to :log
the unpermitted attributes will be logged, if set to :raise
an exception will be raised.
Installation
In Gemfile:
gem 'strong_parameters_rails2', :require => 'strong_parameters'
and then run ‘bundle`. To activate the strong parameters, you need to include this module in every model you want protected.
Simple
class Post < ActiveRecord::Base
include ActiveRecord::ForbiddenAttributesProtection
end
Rails 3 ready
StrongParameters::ModelExtension = if Rails::VERSION::MAJOR == 2
ActiveRecord::ForbiddenAttributesProtection
else
ActiveModel::ForbiddenAttributesProtection
end
class Post < ActiveRecord::Base
include StrongParameters::ModelExtension
end
Just logging for existing models
ActiveRecord::ForbiddenAttributesProtection.class_eval do
remove_method :assign_attributes_with_permitted # more sure we overwrite the correct method
def assign_attributes_with_permitted(attributes)
if attributes.respond_to?(:permitted?) && !attributes.permitted?
if Rails.env.production?
Rails.logger.error("Failed permitted attributes check \n#{caller[0..-10].join("\n")}")
else
raise ActiveRecord::ForbiddenAttributes
end
end
assign_attributes_without_permitted(attributes)
end
end
Compatibility
This gem only supports Rails 2