README

Path: README
Last Update: Tue Mar 25 02:50:15 +0000 2008

ParamProtected

========

Summary

This plugin provides two class methods on ActiveController::Base that filter the params hash for that controller‘s actions. You can think of them as the controller analog of attr_protected and attr_accessible.

Author

Christopher J. Bottaro

Usage

 class YourController < ActiveController::Base
   param_protected <param_name> <options>
   param_accessible <param_name> <options>

   ...
 end

param_name can be a String, Symbol, or Array of Strings and/or Symbols.

options is a Hash that has one of two keys: :only or :except. The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.

Examples

Blacklisting

Any of these combinations should work. 

 param_protected :client_id
 param_protected [:client_id, :user_id]
 param_protected :client_id, :only => 'my_action'
 param_protected :client_id, :exclude => [:your_action, :my_action]

Whitelisting

Any of these combinations should work. 

 param_accessible :client_id
 param_accessible :[:client_id, :user_id]
 param_accessible :client_id, :only => 'my_action'
 param_accessible :client_id, :exclude => [:your_action, :my_action]

Nested Params

There is a language to protect nested params, but it has some caveats. 

 param_protected 'user/fname'

params[:user][:fname] will be removed, but params[:user][:client_id] won‘t (or anything else for that matter.) 

 param_protected 'user'

This works as expected… it removes params[:user], even if it is a Hash. 

 param_accessible 'user/fname'

This will filter params[:user][:lname] and anything that is not params[:user][:fname]. 

 param_accessible 'user'

This has no effect if params[:user] is a Hash.

Array Params

If you have an array of params like 

 params[:person][:nicknames][0]
 params[:person][:nicknames][1]
 ...
 params[:person][:nicknames][n]

You can remove all of them by saying 

 param_protected 'person/nicknames'

param_accessible also works with array params.

Caveats

Both param_protected and param_accessible are really just calls to prepend_before_filter. Thus any methods in your filter chain that run before either of these methods will have full access to the unprotected params Hash.

Notes

You should be able to see all the parameters that have been filtered out in your log (log level info). They get printed out directly after the ‘Parameters:’ line.

[Validate]