Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Add Support for Strong Parameters (1.6) #838

wants to merge 1 commit into


None yet
5 participants

madmax commented Mar 16, 2013


This pull request add support for strong parameters.

class PostController


  def post_params
    params.fetch(:post, {}).permit(:title, :content)


This is for 1.6 version

This still gives an error on the new action when the require(:param) is present.

madmax commented Apr 2, 2013

@hellojere when you look at rails guides there is nice example how use strong parameters in new/edit action



def blog_params
  params.fetch(:blog, {}).permit(:title, :author)

rmoriz commented Apr 12, 2013

Three issues:

  1. I can confirm @hellojere's problem.


    class AccountDomainsController <ApplicationController
      load_and_authorize_resource class: 'Domain'private
        def domain_params

    Error: undefined methodpermit' for nil:NilClasswhen accessing thenew` action

    • a fix would probably be to skip the method if there are no params?
    • workaround:
      params[:class] && params[:class].permit(:whatever)
  2. the params method should IMHO be named like the current controller/model instance, in my case account_domain_params

  3. Using 4.0.0b1 rails it looks like that skipping the strong params check (e.g. removing the method or invalid naming) will not produce ANY error! include ActiveModel::ForbiddenAttributesProtection within the model does not help! Risky…

madmax commented Apr 12, 2013


  1. I write above how you should define params method it is convention that you will find in rails guide
  2. You can have multiple params methods in one controller.
  3. Did you try recent version from master branch?

rmoriz commented Apr 12, 2013


  1. what happens when you access the new action of your posts_controller example?
  2. but why not stick to the naming convention?
gem 'rails', github: 'rails/rails'
gem 'cancan', :github => 'moriz/cancan'   # which is ryanb/cancan master + your patch. https://github.com/moriz/cancan
  remote: git://github.com/rails/rails.git
  revision: 436d91869b7febc0030d79adea136add2f526e49
  remote: git://github.com/moriz/cancan.git
  revision: c1e86b9404be768a99f16128e68d944a5d365ce8

this definitly needs tests…

madmax commented Apr 13, 2013

@rmoriz read 4.5.3 More Examples from http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters

  1. params.fetch(:blog, {}).permit(:title, :author)
    Will always return hash even if :blog is empty.
  2. Convention was always model names. When you have register form controller will get params[:user] not params[:register] why do you want then name it register_params it it is user_params?

But this is up to you how you name this parameter jus pass class param like you did.


xhoy commented Jul 1, 2014

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment