permitted_attributes always uses outer :require

[stephendolan]

I'm using Pundit in my API, and was going to try to filter parameters based on user role.

My issue is that instead of my requests being like the following for updating a user:

user: {
  first_name: "Test",
  last_name: "User"
}

They are formatted like this:

{
  first_name: "Test",
  last_name: "User"
}

The default method for permitted_attributes in Pundit source is here:

def permitted_attributes(record)
    name = record.class.to_s.demodulize.underscore
    params.require(name).permit(policy(record).permitted_attributes)
end

It would be great to have an options hash for this method that could specify something like not to use the .require(name) part.

[openface]

+1 agree.

Our API does not use root nodes either. We'll likely be hitting this same issue.

[jnicklas]

Pundit is all about conventions, and having params nested under a key is, like it or not, a very strong convention in the Rails world. It's really easy to override permitted_attributes to do whatever you want in your controller. If you're building an API which uses root level params, that's what you should do IMO. We can bend over backwards trying to accomodate all possible ways people might use Pundit, but I don't think that's a good idea.

Rather see Pundit as a set of ideas, and if they don't suit you somehow, it's easy to override them.