Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Rails parameter whitelisting for controllers to increase security
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
spec
tasks
MIT-LICENSE
README
Rakefile
init.rb
install.rb
uninstall.rb

README

AcceptParams
============

This plugin adds parameter whitelisting, type checking, and validation at the controller level
to a Rails application.  While model-level validations are good for some situations, in most
cases there are input parameters which are either not part or a model, or which you want to
verify before executing lots of (potentially unsafe) code just to have your model raise an
error.  Examples include:

* page numbers for pagination
* search strings

In addition, this plugin provides several extended capabilities which come in handy:

* type checking of parameters (eg, integers vs strings)
* automatic type casting of parameters (helps with plugins such as +will_paginate+)


Example
=======

  # GET /channels
  # GET /channels.xml
  def index
    accept_params do |p|
      p.integer :page, :default => 1, :minvalue => 1
      p.integer :per_page, :default => 50, :minvalue => 1
    end
  end


  # POST /rating
  # POST /rating.xml
  def create
    accept_params do |p|
      p.namespace :rating do |p|
        p.integer :user_id, :required => true, :minvalue => 1
        p.integer :rating,  :required => true
        p.string  :comments, :process => Proc.new(value){ my_value_cleaner(value) }
      end
    end

    @rating = Rating.new(params[:rating])
    @rating.save
    
    # format/response code
  end


  # GET /players/1
  # GET /players/1.xml
  def show
    accept_only_id
    @player = Player.find(params[:id])

    respond_to do |format|
      format.html # show.html.erb
      format.xml  { render :xml => @player }
    end
  end

Copyright (c) 2008 Nate Wiger, http://drunkgenius.com.  All Rights Reserved.

This code is released under the Artistic License.
Something went wrong with that request. Please try again.