Filter unwanted params from your controllers/actions in your Rails app. Provides param_protected and param_accessible analogous to ActiveRecord's attr_protected and attr_accessible.
Ruby
Switch branches/tags
Nothing to show
Pull request Compare This branch is 2 commits ahead of roidrage:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
tasks
test
.gitignore
CHANGELOG
README.rdoc
Rakefile
VERSION
init.rb
install.rb
param_protected.gemspec
uninstall.rb

README.rdoc

Summary

This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller's actions. You can think of them as the controller analog of attr_protected and attr_accessible.

Installation

Put in your environment.rb file…

config.gem "cjbottaro-param_protected", :lib => "param_protected", :source => "http://gems.github.com"

Alternatively, just install the gem from the command line and require "param_protected" somewhere in your project.

Usage

class YourController < ActiveController::Base
  param_protected <param_name> <options>
  param_accessible <param_name> <options>

  ...
end

param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.

Examples

Blacklisting

Any of these combinations should work.

param_protected :client_id
param_protected [:client_id, :user_id]
param_protected :client_id, :only => 'my_action'
param_protected :client_id, :except => [:your_action, :my_action]

Whitelisting

Any of these combinations should work.

param_accessible :client_id
param_accessible :[:client_id, :user_id]
param_accessible :client_id, :only => 'my_action'
param_accessible :client_id, :except => [:your_action, :my_action]

Nested Params

You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find's :include argument works.

param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }]
param_protected [:id, :password, { :user => [:id, :password] }]

How does it work?

It does an alias_method_chain on ActionController::Base#params that filters (and caches) the params. You can get the unfiltered, pristine params by calling ActionController::Base#params_without_protection.

Author

Christopher J. Bottaro