No release in over 3 years
Low commit activity in last 3 years
There's a lot of open issues
Provides two class methods on ActiveController::Base that filter the params hash for that controller's actions. You can think of them as the controller analog of attr_protected and attr_accessible.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

 Project Readme

Summary¶ ↑

This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller’s actions. You can think of them as the controller analog of attr_protected and attr_accessible.

Installation¶ ↑

Rails 2.3.x¶ ↑

gem install param_protected -v "~> 1.0.0"

Rails 3.0.x¶ ↑

gem "param_protected", "~> 2.0.0"

Thanks to jonleighton for the Rails 3 port.

Rails 3.1.x¶ ↑

gem "param_protected", "~> 3.0.0"

Thanks to gucki for the Rails 3.1 port.

Rails 3.2.x¶ ↑

gem "param_protected", "~> 4.0.0"

Usage¶ ↑

class YourController < ActiveController::Base
  param_protected <param_name> <options>
  param_accessible <param_name> <options>

  ...
end

param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.

Blacklisting¶ ↑

Any of these combinations should work.

param_protected :client_id
param_protected [:client_id, :user_id]
param_protected :client_id, :only => 'my_action'
param_protected :client_id, :except => [:your_action, :my_action]

Whitelisting¶ ↑

Any of these combinations should work.

param_accessible :client_id
param_accessible :[:client_id, :user_id]
param_accessible :client_id, :only => 'my_action'
param_accessible :client_id, :except => [:your_action, :my_action]

Nested Params¶ ↑

You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find‘s :include argument works.

param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }]
param_protected [:id, :password, { :user => [:id, :password] }]

Merging¶ ↑

If you call param_protected or param_accessible multiple times for an action or actions, then the protections will be merged. For example…

param_protected [:id, :user], :only => :some_action
param_protected [{ :user => [:first, :last] }, :password], :only => :some_action

Is equivalent to saying…

param_protected [:id, { :user => [:first, :last] }, :password], :only => :some_action

Credit: Moritz Heidkamp

Inheritance¶ ↑

Param protections will be inherited to derived controllers.

Credit: Moritz Heidkamp

Conditions¶ ↑

You can conditionally protect params…

param_protected :admin, :unless => "user_is_admin?"
param_accessible :admin, :if => :user_is_admin?
param_protected :admin, :unless => Proc.new{ |controller| controller.user_is_admin? }

Credit: Mortiz Heidkamp

Regular Expressions¶ ↑

You can use regular expressions when specifying which params to make protected or accessible.

param_accessible /item\d/

Credit: Mortiz Heidkamp

How does it work?¶ ↑

It does an alias_method_chain on ActionController::Base#params that filters (and caches) the params. You can get the unfiltered, pristine params by calling ActionController::Base#params_without_protection.

Original Author¶ ↑

Christopher J. Bottaro - cjbottaro

Contributors¶ ↑

Moritz Heidkamp - DerGuteMoritz

Jon Leighton - jonleighton

Corin Langosch - gucki