Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

This branch is 1 commit behind merb:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

..
Failed to load latest commit information.
docs
lib
spec
.rspec
LICENSE
README.mkd
Rakefile
TODO
merb-param-protection.gemspec

README.mkd

merb-param-protection

This plugin exposes three new controller methods which allow us to simply and flexibly filter the parameters available within the controller.

Setup:

The request sets:

params => {
 :post => {
   :title => "ello",
   :body => "Want it",
   :status => "green",
   :author_id => 3,
   :rank => 4
  }
}

Example 1: params_accessable

MyController < Application params_accessible :post => [:title, :body] end

params.inspect # => { :post => { :title => "ello", :body => "Want it" } }

So we see that params_accessible removes everything except what is explictly specified.

Example 2: params_protected

MyOtherController < Application
  params_protected :post => [:status, :author_id]
end

params.inspect
 # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }

We also see that params_protected removes only those parameters explicitly specified.

Sometimes you have certain post parameters that are best left unlogged, we support that too. Your actions continue to receive the variable correctly, but the requested parameters are scrubbed at log time.

MySuperDuperController < Application
  log_params_filtered :password
end

params.inspect
 # => { :username => 'atmos', :password => '[FILTERED]' }
Something went wrong with that request. Please try again.