New devise_attr_accessible option

[VadimPushtaev]

Following #716

Problem

Devise uses update_attributes in its controllers, so fields like :name and :password should be attr_accessible in your model. But it should be client's decision, not Devises's, what fields should be attr_accessible. Some people prefer to control all params by their own, for example.

There must be a way to say to Devise "don't rely on attr_accessible". But in this case, we want to provide some list of acceptable attributes to Devise so it can control them by its own.

Solution

I implement new option: devise_attr_accissble.

If it is set:

1. Devise uses update_attributes params, :without_protection => true, so attr_accessible doesn't matter anymore.
2. Devise checks that any param in resource is among devise_attr_accissble list.

Example

This is going to work:

class User < ActiveRecord::Base
  devise :database_authenticatable, :registerable, :encryptable,
         :recoverable, :rememberable, :trackable, :validatable, :confirmable,
         :devise_attr_accessible => [ :name, :password, :password_confirmation ]

  attr_accessible #nothing
end

[josevalim]

I will leave this open, but if we are going to solve this problem, it should be along the same lines as Rails 4 parameter. I.e. moving the logic to the controller instead of the model.

[VadimPushtaev]

Could you please explain what do you mean? What's "Rails 4 parameter"? Thanks in advance.

[rafaelfranca]

@VadimPushtaev see http://edgeguides.rubyonrails.org/security.html#mass-assignment-countermeasures and https://github.com/rails/strong_parameters

[VadimPushtaev]

@rafaelfranca Thanks, I love this! ProtectedAttributes disgruntles me so much.

@josevalim As far as I understand, something like my devise_attr_accessible will be necessary in Rails 4 controller, but still optional in Rails 3. Do you want to defer my commit until you start to think about new default Devise controller? Do you have any plan about it? It would be awesome to join them :)

[rewritten]

On the contrary, the Devise controller can mark the params as permitted, so it will enable any field update. This is probably the whole point of the StrongParameters, to move the "accessibility" of parameters into the controllers, where it belong. So the Devise controller can ensure just :name and :password are accepted in the password reset screen.

[VadimPushtaev]

As far as I understand it's up to programmer to add some field in password reset screen. And devise should know about this.

[josevalim]

This was closed in favor of #2172 which also includes a way to handle the parameters permission in the controller.