How can I raise an error for unpermitted params, but allow specific ones?

Question

I have added the following to my application.rb because I want to have control over all the sent parameters:

config.action_controller.action_on_unpermitted_parameters = :raise

This way I see pretty fast during development if I have forgotten to allow a parameter, or something like that.

But - now I get the following error when trying to update a user through a form:

found unpermitted parameters: utf8, _method, authenticity_token, commit, locale, id

I'm a bit unsure on how to proceed: indeed these are parameters I didn't care about before, and they are automatically sent by Rails' form_for, as far as I can see.

I only want to care about the parameters of my resources, e.g. user[name], user[email], etc.

Is there a way to generally allow those unpermitted parameters above? Or do I miss an important point?

Update

As the problem doesn't seem to be reproduceable, here's the repository with the specific commit:

https://github.com/jmuheim/base/commit/dbb62dd68a8a243d056457c9093a6cd8ea3e3836

Just start the server, load the page, sign up as a user (or use josh with pw joshjosh from the seeds), then go to users > list users, and edit your user. Then you will get the error.

You can also just do $ rake and look at the failing specs.

Interesting is that the error is not raised when signing up, so I guess it has something to do with the UsersController. Maybe an issue with inherited resources?

Answer 1

I've just played with your application and have managed to reproduce your issue. And if I understand you question correctly here is what I want to say:

1. Sign up is processed by Devise::RegistrationsController#create. That is why it doesn't fail.

---

2. It also fails when in the dashboard you click Users -> Create user. From logs:

   Processing by UsersController#new as HTML
   ...
   [1] base(#<UsersController>) »  params
   => {
     "controller" => "users",
     "action" => "new",
     "locale" => "en"
   }
   

   Though its just a #new action so there is no need to check permitted params. I think you should investigate about this in inherited resources docs.

---

3. And here comes the solution for the edit issue right from rails docs:

   params.require(:user).permit(
                    :name,
                    :email,
                    :avatar,
                    :avatar_cache,
                    :remove_avatar,
                    :about,
                    :password,
                    :password_confirmation,
                    :lock_version
                  )
   

   3.1 But

   As I found out this is not going to work with inheried_resources just like above. Try search for 'If you need params.require' on the docs page. One of their suggestions is:

   def permitted_params
     {
       user: params.require(:user).permit(
         :name,
         :email,
         :avatar,
         :avatar_cache,
         :remove_avatar,
         :about,
         :password,
         :password_confirmation,
         :lock_version
       )
     }
   end
   

---

Regards