ParamProtected
This plugin provides two class methods on ActiveController::Base
that filter the params
hash for that controller’s actions. You can think of them as the controller analog of attr_protected
and attr_accessible
.
Christopher J. Bottaro
class YourController < ActiveController::Base param_protected <param_name> <options> param_accessible <param_name> <options> ... end
param_name
can be a String, Symbol, or Array of Strings and/or Symbols.
options
is a Hash that has one of two keys: :only
or :except
. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect. You may also use a Proc to return an array of action names as strings. This Proc will be run in the context of the controller.
Any of these combinations should work.
param_protected :client_id param_protected [:client_id, :user_id] param_protected :client_id, :only => 'my_action' param_protected :client_id, :except => [:your_action, :my_action]
Any of these combinations should work.
param_accessible :client_id param_accessible :[:client_id, :user_id] param_accessible :client_id, :only => 'my_action' param_accessible :client_id, :except => [:your_action, :my_action]
You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find’s :include argument works.
param_accessible [:account_name, :user => [:first_name, :last_name, :address => [:street, :city, :state]]] param_protected [:id, :password, :user => [:id, :password]]
Both param_protected
and param_accessible
are really just calls to prepend_before_filter
. Thus any methods in your filter chain that run before either of these methods will have full access to the unprotected params
Hash.