Devise: Unpermitted parameters

The for method has been deprecated since 4.1. Use this instead:

class ApplicationController < ActionController::Base    
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    attributes = [:name, :surname,:username, :email, :avatar]
    devise_parameter_sanitizer.permit(:sign_up, keys: attributes)
    devise_parameter_sanitizer.permit(:account_update, keys: attributes)
  end
end

I think you should try "configure_permitted_parameters" method in application controller instead of registration controller.

class ApplicationController < ActionController::Base

 before_action :configure_permitted_parameters, if: :devise_controller?

 protected

 def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up).push(:name, :surname,:username, :email, :avatar)
    devise_parameter_sanitizer.for(:account_update).push(:name, :surname, :email, :avatar)
 end
end

along the 4.5.0 documentation:

In case you want to permit additional parameters (the lazy way™), you can do so using a simple before filter in your ApplicationController:

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
  end
end

works for me (with Rails 5.2.1).

With nested parameters (untested):

nested attributes (say you're using accepts_nested_attributes_for), then you will need to tell devise about those nestings and types:

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, 
           address_attributes: [:country, :state, :city, :area, :postal_code]])
  end
end