Action Controller Parameters
Allows to choose which attributes should be whitelisted for mass updating and thus prevent accidentally exposing that which shouldn’t be exposed. Provides two methods for this purpose: require and permit. The former is used to mark parameters as required. The latter is used to set the parameter as permitted and limit which attributes should be allowed for mass updating.
params = ActionController::Parameters.new({
person: {
name: 'Francesco',
age: 22,
role: 'admin'
}
})
permitted = params.require(:person).permit(:name, :age)
permitted # => {"name"=>"Francesco", "age"=>22}
permitted.class # => ActionController::Parameters
permitted.permitted? # => true
Person.first.update!(permitted)
# => #<Person id: 1, name: "Francesco", age: 22, role: "user">
It provides two options that controls the top-level behavior of new instances:
-
permit_all_parameters
- If it'strue
, all the parameters will be permitted by default. The default isfalse
. -
action_on_unpermitted_parameters
- Allow to control the behavior when parameters that are not explicitly permitted are found. The values can be:log
to write a message on the logger or:raise
to raise ActionController::UnpermittedParameters exception. The default value is:log
in test and development environments,false
otherwise.
Examples:
params = ActionController::Parameters.new
params.permitted? # => false
ActionController::Parameters.permit_all_parameters = true
params = ActionController::Parameters.new
params.permitted? # => true
params = ActionController::Parameters.new(a: "123", b: "456")
params.permit(:c)
# => {}
ActionController::Parameters.action_on_unpermitted_parameters = :raise
params = ActionController::Parameters.new(a: "123", b: "456")
params.permit(:c)
# => ActionController::UnpermittedParameters: found unpermitted keys: a, b
ActionController::Parameters
is inherited from
ActiveSupport::HashWithIndifferentAccess
, this means that you
can fetch values using either :key
or
"key"
.
params = ActionController::Parameters.new(key: 'value')
params[:key] # => "value"
params["key"] # => "value"
- #
- C
- D
- F
- N
- P
- R
- S
NEVER_UNPERMITTED_PARAMS | = | %w( controller action ) |
Never raise an UnpermittedParameters exception because of these params are present. They are added by Rails and it's of no concern. |
||
PERMITTED_SCALAR_TYPES | = | [ String, Symbol, NilClass, Numeric, TrueClass, FalseClass, Date, Time, # DateTimes are Dates, we document the type but avoid the redundant check. StringIO, IO, ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile, ] |
This is a white list of permitted scalar types that includes the ones supported in XML and JSON requests. This list is in particular used to filter ordinary requests, String goes as first element to quickly short-circuit the common case. If you modify this collection please update the API of |
||
EMPTY_ARRAY | = | [] |
Returns a new instance of ActionController::Parameters
. Also,
sets the permitted
attribute to the default value of
ActionController::Parameters.permit_all_parameters
.
class Person < ActiveRecord::Base
end
params = ActionController::Parameters.new(name: 'Francesco')
params.permitted? # => false
Person.new(params) # => ActiveModel::ForbiddenAttributesError
ActionController::Parameters.permit_all_parameters = true
params = ActionController::Parameters.new(name: 'Francesco')
params.permitted? # => true
Person.new(params) # => #<Person id: nil, name: "Francesco">
Returns a parameter for the given key
. If not found, returns
nil
.
params = ActionController::Parameters.new(person: { name: 'Francesco' })
params[:person] # => {"name"=>"Francesco"}
params[:none] # => nil
Attribute that keeps track of converted arrays, if any, to avoid double looping in the common use case permit + mass-assignment. Defined in a method to instantiate it only if needed.
Returns an exact copy of the ActionController::Parameters
instance. permitted
state is kept on the duped object.
params = ActionController::Parameters.new(a: 1)
params.permit!
params.permitted? # => true
copy_params = params.dup # => {"a"=>1}
copy_params.permitted? # => true
Returns a parameter for the given key
. If the key
can't be found, there are several options: With no other arguments, it
will raise an ActionController::ParameterMissing
error; if
more arguments are given, then that will be returned; if a block is given,
then that will be run and its result returned.
params = ActionController::Parameters.new(person: { name: 'Francesco' })
params.fetch(:person) # => {"name"=>"Francesco"}
params.fetch(:none) # => ActionController::ParameterMissing: param not found: none
params.fetch(:none, 'Francesco') # => "Francesco"
params.fetch(:none) { 'Francesco' } # => "Francesco"
Returns a new ActionController::Parameters
instance that
includes only the given filters
and sets the
permitted
attribute for the object to true
. This
is useful for limiting which attributes should be allowed for mass
updating.
params = ActionController::Parameters.new(user: { name: 'Francesco', age: 22, role: 'admin' })
permitted = params.require(:user).permit(:name, :age)
permitted.permitted? # => true
permitted.has_key?(:name) # => true
permitted.has_key?(:age) # => true
permitted.has_key?(:role) # => false
Only permitted scalars pass the filter. For example, given
params.permit(:name)
:name
passes it is a key of params
whose
associated value is of type String
, Symbol
,
NilClass
, Numeric
, TrueClass
,
FalseClass
, Date
, Time
,
DateTime
, StringIO
, IO
,
ActionDispatch::Http::UploadedFile
or
Rack::Test::UploadedFile
. Otherwise, the key
:name
is filtered out.
You may declare that the parameter should be an array of permitted scalars by mapping it to an empty array:
params = ActionController::Parameters.new(tags: ['rails', 'parameters'])
params.permit(tags: [])
You can also use permit
on nested parameters, like:
params = ActionController::Parameters.new({
person: {
name: 'Francesco',
age: 22,
pets: [{
name: 'Purplish',
category: 'dogs'
}]
}
})
permitted = params.permit(person: [ :name, { pets: :name } ])
permitted.permitted? # => true
permitted[:person][:name] # => "Francesco"
permitted[:person][:age] # => nil
permitted[:person][:pets][0][:name] # => "Purplish"
permitted[:person][:pets][0][:category] # => nil
Note that if you use permit
in a key that points to a hash, it
won't allow all the hash. You also need to specify which attributes
inside the hash should be whitelisted.
params = ActionController::Parameters.new({
person: {
contact: {
email: 'none@test.com',
phone: '555-1234'
}
}
})
params.require(:person).permit(:contact)
# => {}
params.require(:person).permit(contact: :phone)
# => {"contact"=>{"phone"=>"555-1234"}}
params.require(:person).permit(contact: [ :email, :phone ])
# => {"contact"=>{"email"=>"none@test.com", "phone"=>"555-1234"}}
# File actionpack/lib/action_controller/metal/strong_parameters.rb, line 263 def permit(*filters) params = self.class.new filters.flatten.each do |filter| case filter when Symbol, String permitted_scalar_filter(params, filter) when Hash then hash_filter(params, filter) end end unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters params.permit! end
Sets the permitted
attribute to true
. This can be
used to pass mass assignment. Returns self
.
class Person < ActiveRecord::Base
end
params = ActionController::Parameters.new(name: 'Francesco')
params.permitted? # => false
Person.new(params) # => ActiveModel::ForbiddenAttributesError
params.permit!
params.permitted? # => true
Person.new(params) # => #<Person id: nil, name: "Francesco">
Returns true
if the parameter is permitted, false
otherwise.
params = ActionController::Parameters.new
params.permitted? # => false
params.permit!
params.permitted? # => true
Ensures that a parameter is present. If it's present, returns the
parameter at the given key
, otherwise raises an
ActionController::ParameterMissing
error.
ActionController::Parameters.new(person: { name: 'Francesco' }).require(:person)
# => {"name"=>"Francesco"}
ActionController::Parameters.new(person: nil).require(:person)
# => ActionController::ParameterMissing: param not found: person
ActionController::Parameters.new(person: {}).require(:person)
# => ActionController::ParameterMissing: param not found: person
Returns a new ActionController::Parameters
instance that
includes only the given keys
. If the given keys
don't exist, returns an empty hash.
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.slice(:a, :b) # => {"a"=>1, "b"=>2}
params.slice(:d) # => {}