class ActionController::Parameters
params # => “value”<br>params # => “value”
params = ActionController::Parameters.new(key: ‘value’)
that you can fetch values using either :key or "key".ActiveSupport::HashWithIndifferentAccess, this meansActionController::Parameters is inherited from
# => ActionController::UnpermittedParameters: found unpermitted keys: a, b
params.permit(:c)
params = ActionController::Parameters.new(a: “123”, b: “456”)
ActionController::Parameters.action_on_unpermitted_parameters = :raise
# => {}
params.permit(:c)
params = ActionController::Parameters.new(a: “123”, b: “456”)
params.permitted? # => true
params = ActionController::Parameters.new
ActionController::Parameters.permit_all_parameters = true
params.permitted? # => false
params = ActionController::Parameters.new
Examples:
in test and development environments, false otherwise.
ActionController::UnpermittedParameters exception. The default value is :log
write a message on the logger or :raise to raise
that are not explicitly permitted are found. The values can be :log to
* action_on_unpermitted_parameters - Allow to control the behavior when parameters
permitted by default. The default is false.
* permit_all_parameters - If it’s true, all the parameters will be
It provides two options that controls the top-level behavior of new instances:
# => #<Person id: 1, name: “Francesco”, age: 22, role: “user”>
Person.first.update!(permitted)
permitted.permitted? # => true
permitted.class # => ActionController::Parameters
permitted # => {“name”=>“Francesco”, “age”=>22}
permitted = params.require(:person).permit(:name, :age)
})
}
role: ‘admin’
age: 22,
name: ‘Francesco’,
person: {
params = ActionController::Parameters.new({
as permitted and limit which attributes should be allowed for mass updating.
used to mark parameters as required. The latter is used to set the parameter
Provides two methods for this purpose: #require and #permit. The former is
and thus prevent accidentally exposing that which shouldn’t be exposed.
Allows to choose which attributes should be whitelisted for mass updating
== Action Controller Parameters
def [](key)
params[:person] # => {"name"=>"Francesco"}
params = ActionController::Parameters.new(person: { name: 'Francesco' })
returns +nil+.
Returns a parameter for the given +key+. If not found,
def [](key) convert_hashes_to_parameters(key, super) end
def array_of_permitted_scalars?(value)
def array_of_permitted_scalars?(value) if value.is_a?(Array) value.all? {|element| permitted_scalar?(element)} end end
def array_of_permitted_scalars_filter(params, key)
def array_of_permitted_scalars_filter(params, key) if has_key?(key) && array_of_permitted_scalars?(self[key]) params[key] = self[key] end end
def convert_hashes_to_parameters(key, value, assign_if_converted=true)
def convert_hashes_to_parameters(key, value, assign_if_converted=true) converted = convert_value_to_parameters(value) self[key] = converted if assign_if_converted && !converted.equal?(value) converted end
def convert_value_to_parameters(value)
def convert_value_to_parameters(value) if value.is_a?(Array) && !converted_arrays.member?(value) converted = value.map { |_| convert_value_to_parameters(_) } converted_arrays << converted converted elsif value.is_a?(Parameters) || !value.is_a?(Hash) value else self.class.new(value) end end
def converted_arrays
looping in the common use case permit + mass-assignment. Defined in a
Attribute that keeps track of converted arrays, if any, to avoid double
def converted_arrays @converted_arrays ||= Set.new end
def dup
copy_params = params.dup # => {"a"=>1}
params.permitted? # => true
params.permit!
params = ActionController::Parameters.new(a: 1)
instance. +permitted+ state is kept on the duped object.
Returns an exact copy of the ActionController::Parameters
def dup super.tap do |duplicate| duplicate.permitted = @permitted end end
def each_element(object)
def each_element(object) if object.is_a?(Array) object.map { |el| yield el }.compact elsif fields_for_style?(object) hash = object.class.new object.each { |k,v| hash[k] = yield v } hash else yield object end end
def fetch(key, *args)
params.fetch(:none, 'Francesco') # => "Francesco"
params.fetch(:none) # => ActionController::ParameterMissing: param not found: none
params.fetch(:person) # => {"name"=>"Francesco"}
params = ActionController::Parameters.new(person: { name: 'Francesco' })
is given, then that will be run and its result returned.
if more arguments are given, then that will be returned; if a block
it will raise an ActionController::ParameterMissing error;
can't be found, there are several options: With no other arguments,
Returns a parameter for the given +key+. If the +key+
def fetch(key, *args) convert_hashes_to_parameters(key, super, false) rescue KeyError raise ActionController::ParameterMissing.new(key) end
def fields_for_style?(object)
def fields_for_style?(object) object.is_a?(Hash) && object.all? { |k, v| k =~ /\A-?\d+\z/ && v.is_a?(Hash) } end
def hash_filter(params, filter)
def hash_filter(params, filter) filter = filter.with_indifferent_access # Slicing filters out non-declared keys. slice(*filter.keys).each do |key, value| next unless value if filter[key] == EMPTY_ARRAY # Declaration { comment_ids: [] }. array_of_permitted_scalars_filter(params, key) else # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }. params[key] = each_element(value) do |element| if element.is_a?(Hash) element = self.class.new(element) unless element.respond_to?(:permit) element.permit(*Array.wrap(filter[key])) end end end end end
def initialize(attributes = nil)
params.permitted? # => true
params = ActionController::Parameters.new(name: 'Francesco')
ActionController::Parameters.permit_all_parameters = true
Person.new(params) # => ActiveModel::ForbiddenAttributesError
params.permitted? # => false
params = ActionController::Parameters.new(name: 'Francesco')
end
class Person < ActiveRecord::Base
ActionController::Parameters.permit_all_parameters.
Also, sets the +permitted+ attribute to the default value of
Returns a new instance of ActionController::Parameters.
def initialize(attributes = nil) super(attributes) @permitted = self.class.permit_all_parameters end
def permit(*filters)
params.require(:person).permit(contact: [ :email, :phone ])
# => {"contact"=>{"phone"=>"555-1234"}}
params.require(:person).permit(contact: :phone)
# => {}
params.require(:person).permit(:contact)
})
}
}
phone: '555-1234'
email: 'none@test.com',
contact: {
person: {
params = ActionController::Parameters.new({
attributes inside the hash should be whitelisted.
it won't allow all the hash. You also need to specify which
Note that if you use +permit+ in a key that points to a hash,
permitted[:person][:pets][0][:category] # => nil
permitted[:person][:pets][0][:name] # => "Purplish"
permitted[:person][:age] # => nil
permitted[:person][:name] # => "Francesco"
permitted.permitted? # => true
permitted = params.permit(person: [ :name, { pets: :name } ])
})
}
}]
category: 'dogs'
name: 'Purplish',
pets: [{
age: 22,
name: 'Francesco',
person: {
params = ActionController::Parameters.new({
You can also use +permit+ on nested parameters, like:
params.permit(tags: [])
params = ActionController::Parameters.new(tags: ['rails', 'parameters'])
by mapping it to an empty array:
You may declare that the parameter should be an array of permitted scalars
Otherwise, the key +:name+ is filtered out.
+ActionDispatch::Http::UploadedFile+ or +Rack::Test::UploadedFile+.
+Date+, +Time+, +DateTime+, +StringIO+, +IO+,
+String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+,
+:name+ passes it is a key of +params+ whose associated value is of type
params.permit(:name)
Only permitted scalars pass the filter. For example, given
permitted.has_key?(:role) # => false
permitted.has_key?(:age) # => true
permitted.has_key?(:name) # => true
permitted.permitted? # => true
permitted = params.require(:user).permit(:name, :age)
params = ActionController::Parameters.new(user: { name: 'Francesco', age: 22, role: 'admin' })
should be allowed for mass updating.
for the object to +true+. This is useful for limiting which attributes
includes only the given +filters+ and sets the +permitted+ attribute
Returns a new ActionController::Parameters instance that
def permit(*filters) params = self.class.new filters.flatten.each do |filter| case filter when Symbol, String permitted_scalar_filter(params, filter) when Hash then hash_filter(params, filter) end end unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters params.permit! end
def permit!
params.permitted? # => true
params.permit!
Person.new(params) # => ActiveModel::ForbiddenAttributesError
params.permitted? # => false
params = ActionController::Parameters.new(name: 'Francesco')
end
class Person < ActiveRecord::Base
mass assignment. Returns +self+.
Sets the +permitted+ attribute to +true+. This can be used to pass
def permit! each_pair do |key, value| value = convert_hashes_to_parameters(key, value) Array.wrap(value).each do |_| _.permit! if _.respond_to? :permit! end end @permitted = true self end
def permitted=(new_permitted)
def permitted=(new_permitted) @permitted = new_permitted end
def permitted?
params.permit!
params.permitted? # => false
params = ActionController::Parameters.new
Returns +true+ if the parameter is permitted, +false+ otherwise.
def permitted? @permitted end
def permitted_scalar?(value)
def permitted_scalar?(value) PERMITTED_SCALAR_TYPES.any? {|type| value.is_a?(type)} end
def permitted_scalar_filter(params, key)
def permitted_scalar_filter(params, key) if has_key?(key) && permitted_scalar?(self[key]) params[key] = self[key] end keys.grep(/\A#{Regexp.escape(key)}\(\d+[if]?\)\z/) do |k| if permitted_scalar?(self[k]) params[k] = self[k] end end end
def require(key)
ActionController::Parameters.new(person: {}).require(:person)
# => ActionController::ParameterMissing: param not found: person
ActionController::Parameters.new(person: nil).require(:person)
# => {"name"=>"Francesco"}
ActionController::Parameters.new(person: { name: 'Francesco' }).require(:person)
ActionController::ParameterMissing error.
the parameter at the given +key+, otherwise raises an
Ensures that a parameter is present. If it's present, returns
def require(key) value = self[key] if value.present? || value == false value else raise ParameterMissing.new(key) end end
def slice(*keys)
params.slice(:a, :b) # => {"a"=>1, "b"=>2}
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
don't exist, returns an empty hash.
includes only the given +keys+. If the given +keys+
Returns a new ActionController::Parameters instance that
def slice(*keys) self.class.new(super).tap do |new_instance| new_instance.permitted = @permitted end end
def unpermitted_keys(params)
def unpermitted_keys(params) self.keys - params.keys - NEVER_UNPERMITTED_PARAMS end
def unpermitted_parameters!(params)
def unpermitted_parameters!(params) unpermitted_keys = unpermitted_keys(params) if unpermitted_keys.any? case self.class.action_on_unpermitted_parameters when :log name = "unpermitted_parameters.action_controller" ActiveSupport::Notifications.instrument(name, keys: unpermitted_keys) when :raise raise ActionController::UnpermittedParameters.new(unpermitted_keys) end end end