Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails 4 Strong Parameters : can I 'exclude' / blacklist attributes instead of permit / whitelist?

Tags:

ruby

ruby-on-rails

ruby-on-rails-4

I'm migrating a Rails 3 app to Rails 4 and I'm in the process of converting attr_accessible properties to strong parameters in the controller. The API Documentation shows how to 'permit' attributes:

def person_params
  params.require(:person).permit(:name, :age)
end

However the vast majority of my attributes are mass-assignment safe. It's only a few attributes like :account_id and :is_admin that I need to blacklist.

Is it possible to blacklist attributes instead of whitelisting almost every attribute? E.g something like:

def user_params
  params.require(:user).exclude(:account_id, :is_admin)
end
like image 581
Pete Avatar asked Sep 17 '13 08:09

Pete

4 Answers

I think you shouldn't really do that for reasons outlined by @Damien, but heres a solution I just found.

params.require(:user).except!(:account_id, :is_admin).permit!

This will remove :account_id, :is_admin from hash and permit all other parameters. But again - this is potentially insecure.

Why this works? Because ActionController::Parameters inherits from Hash!

Update 4th July 2016

In Rails 5 this probably doesn't work anymore as per upgrade guide

ActionController::Parameters No Longer Inherits from HashWithIndifferentAccess

like image 133
Mike Szyndel Avatar answered Nov 09 '22 11:11

Mike Szyndel

Whitelisting is more secure.

But u can try: In model:

self.permitted_params
  attribute_names - ["is_admin"]
end

In Controller:

def user_params
  params.require(:user).permit(*User.permitted_params)
end
like image 35
Oleg Haidul Avatar answered Nov 09 '22 11:11

Oleg Haidul

No, this is not possible.
Blacklisting attributes would be a security issue, since your codebase can evolve, and other attributes, which should be blacklisted can be forgotten in the future.

Adding all your whitelisted attributes might seem like a complicated thing when implementing it.
However, it's the only way of keeping your application secure and avoiding disturbing things.

like image 4
Damien MATHIEU Avatar answered Nov 09 '22 12:11

Damien MATHIEU

From the docs: yes, you can, with except, which "returns a new ActionController::Parameters instance that filters out the given keys":

params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.except(:a, :b) # => <ActionController::Parameters {"c"=>3} permitted: false>
params.except(:d)     # => <ActionController::Parameters {"a"=>1, "b"=>2, "c"=>3} permitted: false>
like image 2
snowangel Avatar answered Nov 09 '22 10:11

snowangel
Sign in to Comment

Related questions

send_file just sends an empty file
Like and where condition in ruby
loop in templates
OmniAuth using google oauth 2 strategy scope failure
Is it possible to run my Rails app on Heroku with Ruby 1.9.3? If so, how?
How to fail Ajax request in Rails?
Calling an ApplicationController method from console in Rails
RSpec mock from test console
Rails: Include External JavaScript
ActiveRecord: Do I need both belongs_to and has_one
Appending headers to Rspec controller tests
Validate: Only letters, numbers and -
Refactoring ActiveRecord models with a base class versus a base module
How can I determine whether a controller action has rendered (rather than redirected?)
How do I set MySQL as the default database in Rails 3?
Do ruby on rails programmers refactor?
String.force_encoding() in Ruby 1.8.7 (or Rails 2.x)
Ruby on Rails: /bin/sh: rspec: command not found
Undefined method `merge' for '####':string <%= form_for %> helper
From title case to sentence case

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!