No commit activity in last 3 years
No release in over 3 years
Whitelist and typecheck your parameters at the controller level
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 0.12.0
>= 0

Runtime

 Project Readme

Strong(ly typed) Parameters¶ ↑

With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you’ll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn’t be exposed. In this fork, the type of each parameter is also validated to avoid unexpected behavior with implicit casting.

In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.

class PeopleController < ActionController::Base
  # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
  # without an explicit permit step.
  def create
    Person.create(params[:person])
  end

  # This will pass with flying colors as long as there's a person key in the parameters, otherwise
  # it'll raise a ActionController::MissingParameter exception, which will get caught by
  # ActionController::Base and turned into that 400 Bad Request reply.
  def update
    person = current_account.people.find(params[:id])
    person.update_attributes!(person_params)
    redirect_to person
  end

  private
    # Using a private method to encapsulate the permissible parameters is just a good pattern
    # since you'll be able to reuse the same permit list between create and update. Also, you
    # can specialize this method with per-user checking of permissible attributes.
    def person_params
      params.require(:person).permit(:name, :age)
    end
end

Permitted Types¶ ↑

Given

params.permit(:id)

the key :id will pass the whitelisting if it appears in params and is a String. Otherwise the key is going to be filtered out, so arrays, hashes, or any other objects cannot be injected.

If instead the argument is given as

params.permit(:id => Numeric)

the :id value must be a number. Any class or module can be given here. The marker module Boolean is included in TrueClass and FalseClass.

To declare that the value in params must be an array of values of a certain type, wrap the type constant in an Array:

params.permit(:id => [Numeric])

Defaults with ActiveRecord¶ ↑

If a parameter shares a name with an ActiveRecord model, the default types for its attributes are those of that model, rather than String.

Nested Parameters¶ ↑

You can also use permit on nested parameters, like:

params.permit(:name, {:emails => [String]}, :friends => [ :name, { :family => [ :name ] }])

Thanks to Nick Kallen for the permit idea!

Handling of Unpermitted Keys¶ ↑

By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.

Additionally, this behaviour can be changed by changing the config.action_controller.action_on_unpermitted_parameters property in your environment files. If set to :log the unpermitted attributes will be logged, if set to :raise an exception will be raised.

Installation¶ ↑

In Gemfile:

gem 'strongly_typed_parameters'

and then run ‘bundle`. To activate the strong parameters, you need to include this module in every model you want protected.

class Post < ActiveRecord::Base
  include ActiveModel::ForbiddenAttributesProtection
end

If you want to now disable the default whitelisting that occurs in later versions of Rails, change the config.active_record.whitelist_attributes property in your config/application.rb:

config.active_record.whitelist_attributes = false

This will allow you to remove / not have to use attr_accessible and do mass assignment inside your code and tests.

Compatibility¶ ↑

This plugin is only fully compatible with Rails versions 3.0, 3.1 and 3.2 but not 4.0+, as the non-typechecking version is part of Rails Core in 4.0.