cjbottaro / param_protected

Description:	A Rails plugin that provides param_protected and param_accessible methods on controllers analogous to attr_protected and attr_accessible for models. edit
Homepage:	http://blog.stochasticbytes.com/2008/01/paramprotected.html edit
Public Clone URL:	git://github.com/cjbottaro/param_protected.git Give this clone URL to anyone. `git clone git://github.com/cjbottaro/param_protected.git`
Your Clone URL:	git@github.com:cjbottaro/param_protected.git Use this clone URL yourself. `git clone git@github.com:cjbottaro/param_protected.git`

examples had invalid Ruby code

cjbottaro (author)

Sun Mar 29 17:33:59 -0700 2009

commit 34ba534fcbf26bde044c705895aec726d0f03bba
tree 15f627ab4233388b7f0f446d1e82c256767c0834
parent 1d267003af4ab2e903e991d191121b68701798b3

param_protected /

name	age	history message
CHANGELOG	Tue Mar 17 13:01:09 -0700 2009	fixed how to specify nested params to be more sane [cjbottaro]
README	Mon May 19 09:44:55 -0700 2008	Trying to get the README to play nice with github. [Christopher J. Bottaro]
README.rdoc	Sun Mar 29 17:33:59 -0700 2009	examples had invalid Ruby code [cjbottaro]
Rakefile	Sun May 18 19:45:13 -0700 2008	moving over from svn [Christopher J. Bottaro]
init.rb	Wed Jul 16 15:16:45 -0700 2008	complete rewrite [cjbottaro]
install.rb	Sun May 18 19:45:13 -0700 2008	moving over from svn [Christopher J. Bottaro]
lib/	Tue Mar 17 13:01:09 -0700 2009	fixed how to specify nested params to be more sane [cjbottaro]
tasks/	Sun May 18 19:45:13 -0700 2008	moving over from svn [Christopher J. Bottaro]
test/	Tue Mar 17 13:01:09 -0700 2009	fixed how to specify nested params to be more sane [cjbottaro]
uninstall.rb	Sun May 18 19:45:13 -0700 2008	moving over from svn [Christopher J. Bottaro]

ParamProtected

========

Summary

This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller’s actions. You can think of them as the controller analog of attr_protected and attr_accessible.

Author

Christopher J. Bottaro

Usage

 class YourController < ActiveController::Base
   param_protected <param_name> <options>
   param_accessible <param_name> <options>

   ...
 end

param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.

Examples

Blacklisting

Any of these combinations should work.

 param_protected :client_id
 param_protected [:client_id, :user_id]
 param_protected :client_id, :only => 'my_action'
 param_protected :client_id, :except => [:your_action, :my_action]

Whitelisting

Any of these combinations should work.

 param_accessible :client_id
 param_accessible :[:client_id, :user_id]
 param_accessible :client_id, :only => 'my_action'
 param_accessible :client_id, :except => [:your_action, :my_action]

Nested Params

You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find’s :include argument works.

 param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }]
 param_protected [:id, :password, { :user => [:id, :password] }]

Caveats

Both param_protected and param_accessible are really just calls to prepend_before_filter. Thus any methods in your filter chain that run before either of these methods will have full access to the unprotected params Hash.