Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Adapter to allow cancan to work with strong_parameters
Latest commit 74e48de @colinyoung Release v0.4 (Rails 3 and 4 compatibility.)
Acknowledge @sespindola and @seifsallam in Readme.
Failed to load latest commit information.
lib Release v0.4 (Rails 3 and 4 compatibility.)
test Use correct format so tests will pass.
.gitignore 1.8.7 backwards compatibility. rails/strong_parameters has it, so we …
.travis.yml 1.8.7 backwards compatibility. rails/strong_parameters has it, so we …
LICENSE First commit Release v0.4 (Rails 3 and 4 compatibility.)
Rakefile Now that dependence on strong_parameters is removed, manually bring i…
cancan_strong_parameters.gemspec Now that dependence on strong_parameters is removed, manually bring i…


strong_parameters and CanCan (and others, like ActiveAdmin) are friends now!

This gem makes it easy to control the authorization of params used by CanCan.

Build Status


The majority of this gem is credited to @mckeed, who posted this gist: I (@colinyoung) helped put some of it together.


Add this line to your application's Gemfile:

gem 'cancan_strong_parameters'

And then execute:

$ bundle

Or install it yourself as:

$ gem install cancan_strong_parameters

Rails 3

Rails 3 users must require strong_parameters in their Gemfiles manually.

gem 'strong_parameters', '>= 0.1.6'

Alternatively, you can use versions of this gem below 0.3.


  1. Add gem "cancan_strong_parameters" to your Gemfile
  2. In your controllers, wherever you use load_and_authorize_resource (and similar CanCan methods), also permit your parameters:

    class PostsController < ApplicationController
      permit_params :body, tags: [:name]
      # --> permit_params allows parameters but doesn't require them.
      # In the preceding, :tags are a nested resource of post, while
      # :body is an attribute of a Post.
      # :tags is plural here because it's a has_many association, but
      # you should use a singular key for a has_one.
      require_params :title
      # --> require_params works exactly the same, but throws an error
      # if the parameter isn't provided.
      # You can also require/permit params on create or update only:
      permit_params_on_create ...
      permit_params_on_update ...
      require_params_on_create ...
  3. Finally, don't forget to make the vars you use in your controllers accessible in your models:

    class Post < ActiveRecord::Base
      attr_accessible :title, :body, :tags_attributes


Credit: @jlee42

With 0.3, cancan_strong_parameters now supports checkboxes in forms, like tag_ids.

In order to avoid confusion with other nested attributes in a call to permit_params, please use the actual Array class object:

class BlogPost < ActiveModel::Base
  permit_params :title, :content, tag_ids: Array

Usage with other gems

It's possible to use cancan_strong_parameters with other gems, like Active Admin:

ActiveAdmin.register Member do
  controller do
    permit_params :project_id, :name, :email

(Thanks to @joshhepworth!)


Run with bundle exec rake test.


First, thank you to @joshhepworth, @sespindola, and @seifsallam for their code and issue contributions.

To become a contributor:

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request


  • Fixed docs to be compatible with 0.1.5.
  • Fixed some issues with nested form subfields in permit_params
  • Made compatible for nested forms
  • Added default allows for _destroy.
  • Tests pass in Travis.
  • Fixes for irregular parameters posted like {"child_attributes" => {"0" => {}}}.
  • Fixed a major security problem where I was manually inserting IDs - should be allowed by default, but not manually added
Something went wrong with that request. Please try again.