Rails 4 Strong Parameters : can I 'exclude' / blacklist attributes instead of permit / whitelist?

I think you shouldn't really do that for reasons outlined by @Damien, but heres a solution I just found.

params.require(:user).except!(:account_id, :is_admin).permit!

This will remove :account_id, :is_admin from hash and permit all other parameters. But again - this is potentially insecure.

Why this works? Because ActionController::Parameters inherits from Hash!

Update 4th July 2016

In Rails 5 this probably doesn't work anymore as per upgrade guide

ActionController::Parameters No Longer Inherits from HashWithIndifferentAccess

No, this is not possible.
Blacklisting attributes would be a security issue, since your codebase can evolve, and other attributes, which should be blacklisted can be forgotten in the future.

Adding all your whitelisted attributes might seem like a complicated thing when implementing it.
However, it's the only way of keeping your application secure and avoiding disturbing things.

Whitelisting is more secure.

But u can try: In model:

self.permitted_params
  attribute_names - ["is_admin"]
end

In Controller:

def user_params
  params.require(:user).permit(*User.permitted_params)
end

Rails 4 Strong Parameters : can I 'exclude' / blacklist attributes instead of permit / whitelist?

Tags:

Ruby

Ruby On Rails

Ruby On Rails 4

Related

Recent Posts