Protector and Strong Parameters

Boris Staal edited this page Jul 13, 2013 · 8 revisions

Protector comes with Strong Parameters integration. It makes Strong Parameters be aware of your security scopes: when you assign protected parameters to a restricted entity, Protector automatically permits values that are white-listed. This way security scopes extend to controllers keeping your code DRY and security rules centralised.

Activation

If you are on Rails >= 4.0, integration is already active.

For the earlier releases where you might be using Strong Parameters as a gem, you have to manually include it into the ActiveRecord:

ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)

To activate integration, extend it with the following code:

ActiveRecord::Base.send(:include, Protector::ActiveRecord::StrongParameters)

Deactivation

Use Protector.config.strong_parameters = false to deactivate the integration. Alternatively you can use config.protector.strong_parameters at any of the Rails configuration files.

Usage example

class Foo
  protect
    can :create, :foo
    can :update, :bar
  end
end

Here's what going to happen at controller level:


Unrestricted entities do not change the behaviour. According to Strong Parameters policy the following code is raising ForbiddenAttributes exception since foo is not explicitly permitted.

params.inspect # => {:foo => true}
Foo.new(params)

foo is automatically permitted so the following code is not raising any errors:

params.inspect # => {:foo => true}
Foo.restrict!(current_user).new(params)

Protector distracts creation from updating and only permits fields that are really suitable. In the next example, Strong Parameters raise exception since bar is not allowed for creation (only for updating):

params.inspect # => {:foo => true, :bar => false}
Foo.restrict!(current_user).new(params)

Automatic permitting can be combined with the manual one. The following code is not raising any exceptions:

params.inspect # => {:foo => true, :bar => false}
Foo.restrict!(current_user).new(params.permit(:bar))