Skip to content

Latest commit

 

History

History
44 lines (34 loc) · 1.99 KB

README.rdoc

File metadata and controls

44 lines (34 loc) · 1.99 KB

ParamProtected

Summary

This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller’s actions. You can think of them as the controller analog of attr_protected and attr_accessible.

Author

Christopher J. Bottaro

Usage

class YourController < ActiveController::Base
  param_protected <param_name> <options>
  param_accessible <param_name> <options>

  ...
end

param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect. You may also use a Proc to return an array of action names as strings. This Proc will be run in the context of the controller.

Examples

Blacklisting

Any of these combinations should work.

param_protected :client_id
param_protected [:client_id, :user_id]
param_protected :client_id, :only => 'my_action'
param_protected :client_id, :except => [:your_action, :my_action]

Whitelisting

Any of these combinations should work.

param_accessible :client_id
param_accessible :[:client_id, :user_id]
param_accessible :client_id, :only => 'my_action'
param_accessible :client_id, :except => [:your_action, :my_action]

Nested Params

You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find’s :include argument works.

param_accessible [:account_name, :user => [:first_name, :last_name, :address => [:street, :city, :state]]]
param_protected [:id, :password, :user => [:id, :password]]

Caveats

Both param_protected and param_accessible are really just calls to prepend_before_filter. Thus any methods in your filter chain that run before either of these methods will have full access to the unprotected params Hash.