Skip to content
A gem to easily filter out unwanted parameters in ActionController.
Ruby
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
lib
test
.gitignore
Gemfile
LICENSE
README.markdown
Rakefile
parameter_filter.gemspec

README.markdown

parameter_filter

Summary

ParameterFilter is a module to mix into ActionController subclasses. It inserts a before_filter which will automatically remove any fields in params that are not explicitly allowed.

Installation

Include the following in your Gemfile:

gem "parameter_filter"

Usage

For global security, include the following in your ApplicationController:

include ParameterFilter

Then, inside each of you controllers, specify what fields you want each action to receive:

# Accept user[email] and user[password] on the create and update actions.
accepts :fields => { :user => [ :email, :password ] }, :on => [ :create, :update ]

# Accept user[email] and user[password] on all actions.
accepts fields: { user: %w( email password ) } 

# Accept q on the search action.
accepts field: "q", on: "search"

# Accept q and sort on the search and index actions.
accepts fields: [ :q, :sort ], on: %w( search index )

ParameterFilter should be pretty flexible in what you throw at it.

NOTE: All actions are automatically allowed to receive :controller, :action and :id.

Something went wrong with that request. Please try again.