Created: 2012-03-26 00:51
Updated: 2013-10-26 06:45
License: mit




ParameterFilter is a module to mix into ActionController subclasses. It inserts a before_filter which will automatically remove any fields in params that are not explicitly allowed.


Include the following in your Gemfile:

gem "parameter_filter"


For global security, include the following in your ApplicationController:

include ParameterFilter

Then, inside each of you controllers, specify what fields you want each action to receive:

# Accept user[email] and user[password] on the create and update actions.
accepts :fields => { :user => [ :email, :password ] }, :on => [ :create, :update ]

# Accept user[email] and user[password] on all actions.
accepts fields: { user: %w( email password ) } 

# Accept q on the search action.
accepts field: "q", on: "search"

# Accept q and sort on the search and index actions.
accepts fields: [ :q, :sort ], on: %w( search index )

ParameterFilter should be pretty flexible in what you throw at it.

NOTE: All actions are automatically allowed to receive :controller, :action and :id.

Cookies help us deliver our services. By using our services, you agree to our use of cookies Learn more