public
Description: Restrict the params which we allow to get through to the action
Homepage:
Clone URL: git://github.com/jonleighton/restrict_params.git
jonleighton (author)
Fri Sep 05 14:29:54 -0700 2008
commit  6edfa686a1b24c150c9d9abebf323eb8a53f972c
tree    4060942c937641b5bdedfb3ebf236f1a14b41a5d
parent  d7ed285cc9436cf1d9cbbf74ebfe9a501687e367
README.textile

Restrict Params

Restrict Params is a Rails plugin which enables you to specify a finite set of keys
which can appear in the parameters being passed to an action.

Why?

If you use a RESTful architecture, you use the create and update actions to modify
resources. Depending on the access priveliges of the application, you might want to,
for example, allow admins to modify all attributes of a Company model, but only allow
general users to modify the “notes” attribute.

Example

class CompaniesController < ApplicationController
  restrict_params :to => [:notes], :only => :update, :if => "!current_user.admin?"
end

The plugin will look at the class name of your controller and figure out that we need
to inspect params[:company]. If current_user.admin? is false, it will delete all items
from params[:company] except :notes.

See also

There is a similar merb plugin called
merb_param_protection.