param_protected

=== Summary This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller's actions. You can think of them as the controller analog of attr_protected and attr_accessible.

=== Installation

==== Rails 2.3.x

gem install param_protected -v "~> 1.0.0"

==== Rails 3.0.x

gem "param_protected", "~> 2.0.0"

Thanks to {jonleighton}[http://github.com/jonleighton] for the Rails 3 port.

==== Rails 3.1.x

gem "param_protected", "~> 3.0.0"

Thanks to {gucki}[https://github.com/gucki] for the Rails 3.1 port.

=== Usage class YourController < ActiveController::Base param_protected <param_name> param_accessible <param_name>

... end param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.

=== Blacklisting Any of these combinations should work. param_protected :client_id param_protected [:client_id, :user_id] param_protected :client_id, :only => 'my_action' param_protected :client_id, :except => [:your_action, :my_action]

=== Whitelisting Any of these combinations should work. param_accessible :client_id param_accessible :[:client_id, :user_id] param_accessible :client_id, :only => 'my_action' param_accessible :client_id, :except => [:your_action, :my_action]

=== Nested Params You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find's :include argument works. param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }] param_protected [:id, :password, { :user => [:id, :password] }]

=== Merging If you call param_protected or param_accessible multiple times for an action or actions, then the protections will be merged. For example... param_protected [:id, :user], :only => :some_action param_protected [{ :user => [:first, :last] }, :password], :only => :some_action Is equivalent to saying... param_protected [:id, { :user => [:first, :last] }, :password], :only => :some_action

Credit: Moritz Heidkamp

=== Inheritance Param protections will be inherited to derived controllers.

Credit: Moritz Heidkamp

=== Conditions You can conditionally protect params... param_protected :admin, :unless => "user_is_admin?" param_accessible :admin, :if => :user_is_admin? param_protected :admin, :unless => Proc.new{ |controller| controller.user_is_admin? }

Credit: Mortiz Heidkamp

== Regular Expressions You can use regular expressions when specifying which params to make protected or accessible. param_accessible /item\d/

Credit: Mortiz Heidkamp

=== How does it work? It does an alias_method_chain on ActionController::Base#params that filters (and caches) the params. You can get the unfiltered, pristine params by calling ActionController::Base#params_without_protection.

=== Original Author Christopher J. Bottaro - {cjbottaro}[http://github.com/cjbottaro]

=== Contributors Moritz Heidkamp - {DerGuteMoritz}[http://github.com/DerGuteMoritz]

Jon Leighton - {jonleighton}[http://github.com/jonleighton]

Corin Langosch - {gucki}[https://github.com/gucki]