ParamProtected
This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller’s actions. You can think of them as the controller analog of attr_protected and attr_accessible.
Christopher J. Bottaro
class YourController < ActiveController::Base param_protected <param_name> <options> param_accessible <param_name> <options> ... end
param_name can be a String, Symbol, or Array of Strings and/or Symbols.
options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect. You may also use a Proc to return an array of action names as strings. This Proc will be run in the context of the controller.
Any of these combinations should work.
param_protected :client_id param_protected [:client_id, :user_id] param_protected :client_id, :only => 'my_action' param_protected :client_id, :except => [:your_action, :my_action]
Any of these combinations should work.
param_accessible :client_id param_accessible :[:client_id, :user_id] param_accessible :client_id, :only => 'my_action' param_accessible :client_id, :except => [:your_action, :my_action]
You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find’s :include argument works.
param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }] param_protected [:id, :password, { :user => [:id, :password] }]
Both param_protected and param_accessible are really just calls to prepend_before_filter. Thus any methods in your filter chain that run before either of these methods will have full access to the unprotected params Hash.