ParamProtected

========

Summary

This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller’s actions. You can think of them as the controller analog of attr_protected and attr_accessible.

Author

Christopher J. Bottaro

Usage

 class YourController < ActiveController::Base
   param_protected <param_name> <options>
   param_accessible <param_name> <options>

   ...
 end

param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect. You may also use a Proc to return an array of action names as strings. This Proc will be run in the context of the controller.

Examples

Blacklisting

Any of these combinations should work.

 param_protected :client_id
 param_protected [:client_id, :user_id]
 param_protected :client_id, :only => 'my_action'
 param_protected :client_id, :except => [:your_action, :my_action]

Whitelisting

Any of these combinations should work.

 param_accessible :client_id
 param_accessible :[:client_id, :user_id]
 param_accessible :client_id, :only => 'my_action'
 param_accessible :client_id, :except => [:your_action, :my_action]

Nested Params

You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find’s :include argument works.

 param_accessible [:account_name, :user => [:first_name, :last_name, :address => [:street, :city, :state]]]
 param_protected [:id, :password, :user => [:id, :password]]

Caveats

Both param_protected and param_accessible are really just calls to prepend_before_filter. Thus any methods in your filter chain that run before either of these methods will have full access to the unprotected params Hash.