class ActionController::Parameters
params # => “value”<br>params # => “value”
params = ActionController::Parameters.new(key: ‘value’)
that you can fetch values using either :key or "key".ActiveSupport::HashWithIndifferentAccess, this meansActionController::Parameters inherits from
runtime.
environment they should only be set once at boot-time and never mutated at
Please note that these options *are not thread-safe*. In a multi-threaded
# => ActionController::UnpermittedParameters: found unpermitted keys: a, b
params.permit(:c)
params = ActionController::Parameters.new(a: “123”, b: “456”)
ActionController::Parameters.action_on_unpermitted_parameters = :raise
# => {}
params.permit(:c)
params = ActionController::Parameters.new(a: “123”, b: “456”)
params.permitted? # => true
params = ActionController::Parameters.new
ActionController::Parameters.permit_all_parameters = true
params.permitted? # => false
params = ActionController::Parameters.new
Examples:
in test and development environments, false otherwise.
ActionController::UnpermittedParameters exception. The default value is :log
write a message on the logger or :raise to raise
that are not explicitly permitted are found. The values can be :log to
* action_on_unpermitted_parameters - Allow to control the behavior when parameters
permitted by default. The default is false.
* permit_all_parameters - If it’s true, all the parameters will be
It provides two options that controls the top-level behavior of new instances:
# => #<Person id: 1, name: “Francesco”, age: 22, role: “user”>
Person.first.update!(permitted)
permitted.permitted? # => true
permitted.class # => ActionController::Parameters
permitted # => {“name”=>“Francesco”, “age”=>22}
permitted = params.require(:person).permit(:name, :age)
})
}
role: ‘admin’
age: 22,
name: ‘Francesco’,
person: {
params = ActionController::Parameters.new({
as permitted and limit which attributes should be allowed for mass updating.
used to mark parameters as required. The latter is used to set the parameter
Provides two methods for this purpose: #require and #permit. The former is
and thus prevent accidentally exposing that which shouldn’t be exposed.
Allows to choose which attributes should be whitelisted for mass updating
== Action Controller Parameters
def self.const_missing(const_name)
def self.const_missing(const_name) super unless const_name == :NEVER_UNPERMITTED_PARAMS ActiveSupport::Deprecation.warn(<<-MSG.squish) `ActionController::Parameters::NEVER_UNPERMITTED_PARAMS` has been deprecated. Use `ActionController::Parameters.always_permitted_parameters` instead. MSG always_permitted_parameters end
def [](key)
params[:person] # => {"name"=>"Francesco"}
params = ActionController::Parameters.new(person: { name: 'Francesco' })
returns +nil+.
Returns a parameter for the given +key+. If not found,
def [](key) convert_hashes_to_parameters(key, super) end
def array_of_permitted_scalars?(value)
def array_of_permitted_scalars?(value) if value.is_a?(Array) value.all? {|element| permitted_scalar?(element)} end end
def array_of_permitted_scalars_filter(params, key)
def array_of_permitted_scalars_filter(params, key) if has_key?(key) && array_of_permitted_scalars?(self[key]) params[key] = self[key] end end
def convert_hashes_to_parameters(key, value, assign_if_converted=true)
def convert_hashes_to_parameters(key, value, assign_if_converted=true) converted = convert_value_to_parameters(value) self[key] = converted if assign_if_converted && !converted.equal?(value) converted end
def convert_value_to_parameters(value)
def convert_value_to_parameters(value) if value.is_a?(Array) && !converted_arrays.member?(value) converted = value.map { |_| convert_value_to_parameters(_) } converted_arrays << converted converted elsif value.is_a?(Parameters) || !value.is_a?(Hash) value else self.class.new(value) end end
def converted_arrays
loop that converts values. Also, we are not going to build a new array
Testing membership still loops, but it's going to be faster than our own
method to instantiate it only if needed.
looping in the common use case permit + mass-assignment. Defined in a
Attribute that keeps track of converted arrays, if any, to avoid double
def converted_arrays @converted_arrays ||= Set.new end
def delete(key, &block)
optional code block is given and the key is not found, pass in the key
to key. If the key is not found, returns the default value. If the
Deletes and returns a key-value pair from +Parameters+ whose key is equal
def delete(key, &block) convert_hashes_to_parameters(key, super, false) end
def dup
copy_params = params.dup # => {"a"=>1}
params.permitted? # => true
params.permit!
params = ActionController::Parameters.new(a: 1)
instance. +permitted+ state is kept on the duped object.
Returns an exact copy of the ActionController::Parameters
def dup super.tap do |duplicate| duplicate.permitted = @permitted end end
def each_element(object)
def each_element(object) if object.is_a?(Array) object.map { |el| yield el }.compact elsif fields_for_style?(object) hash = object.class.new object.each { |k,v| hash[k] = yield v } hash else yield object end end
def each_pair(&block)
Convert all hashes in values into parameters, then yield each pair like
def each_pair(&block) super do |key, value| convert_hashes_to_parameters(key, value) end super end
def extract!(*keys)
params.extract!(:a, :b) # => {"a"=>1, "b"=>2}
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
Removes and returns the key/value pairs matching the given keys.
def extract!(*keys) new_instance_with_inherited_permitted_status(super) end
def fetch(key, *args)
params.fetch(:none, 'Francesco') # => "Francesco"
params.fetch(:none) # => ActionController::ParameterMissing: param not found: none
params.fetch(:person) # => {"name"=>"Francesco"}
params = ActionController::Parameters.new(person: { name: 'Francesco' })
is given, then that will be run and its result returned.
if more arguments are given, then that will be returned; if a block
it will raise an ActionController::ParameterMissing error;
can't be found, there are several options: With no other arguments,
Returns a parameter for the given +key+. If the +key+
def fetch(key, *args) convert_hashes_to_parameters(key, super, false) rescue KeyError raise ActionController::ParameterMissing.new(key) end
def fields_for_style?(object)
def fields_for_style?(object) object.is_a?(Hash) && object.all? { |k, v| k =~ /\A-?\d+\z/ && v.is_a?(Hash) } end
def hash_filter(params, filter)
def hash_filter(params, filter) filter = filter.with_indifferent_access # Slicing filters out non-declared keys. slice(*filter.keys).each do |key, value| next unless value if filter[key] == EMPTY_ARRAY # Declaration { comment_ids: [] }. array_of_permitted_scalars_filter(params, key) else # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }. params[key] = each_element(value) do |element| if element.is_a?(Hash) element = self.class.new(element) unless element.respond_to?(:permit) element.permit(*Array.wrap(filter[key])) end end end end end
def initialize(attributes = nil)
params.permitted? # => true
params = ActionController::Parameters.new(name: 'Francesco')
ActionController::Parameters.permit_all_parameters = true
Person.new(params) # => ActiveModel::ForbiddenAttributesError
params.permitted? # => false
params = ActionController::Parameters.new(name: 'Francesco')
end
class Person < ActiveRecord::Base
ActionController::Parameters.permit_all_parameters.
Also, sets the +permitted+ attribute to the default value of
Returns a new instance of ActionController::Parameters.
def initialize(attributes = nil) super(attributes) @permitted = self.class.permit_all_parameters end
def new_instance_with_inherited_permitted_status(hash)
def new_instance_with_inherited_permitted_status(hash) self.class.new(hash).tap do |new_instance| new_instance.permitted = @permitted end end
def permit(*filters)
params.require(:person).permit(contact: [ :email, :phone ])
# => {"contact"=>{"phone"=>"555-1234"}}
params.require(:person).permit(contact: :phone)
# => {}
params.require(:person).permit(:contact)
})
}
}
phone: '555-1234'
email: 'none@test.com',
contact: {
person: {
params = ActionController::Parameters.new({
attributes inside the hash should be whitelisted.
it won't allow all the hash. You also need to specify which
Note that if you use +permit+ in a key that points to a hash,
permitted[:person][:pets][0][:category] # => nil
permitted[:person][:pets][0][:name] # => "Purplish"
permitted[:person][:age] # => nil
permitted[:person][:name] # => "Francesco"
permitted.permitted? # => true
permitted = params.permit(person: [ :name, { pets: :name } ])
})
}
}]
category: 'dogs'
name: 'Purplish',
pets: [{
age: 22,
name: 'Francesco',
person: {
params = ActionController::Parameters.new({
You can also use +permit+ on nested parameters, like:
params.permit(tags: [])
params = ActionController::Parameters.new(tags: ['rails', 'parameters'])
by mapping it to an empty array:
You may declare that the parameter should be an array of permitted scalars
Otherwise, the key +:name+ is filtered out.
+ActionDispatch::Http::UploadedFile+ or +Rack::Test::UploadedFile+.
+Date+, +Time+, +DateTime+, +StringIO+, +IO+,
+String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+,
+:name+ passes it is a key of +params+ whose associated value is of type
params.permit(:name)
Only permitted scalars pass the filter. For example, given
permitted.has_key?(:role) # => false
permitted.has_key?(:age) # => true
permitted.has_key?(:name) # => true
permitted.permitted? # => true
permitted = params.require(:user).permit(:name, :age)
params = ActionController::Parameters.new(user: { name: 'Francesco', age: 22, role: 'admin' })
should be allowed for mass updating.
for the object to +true+. This is useful for limiting which attributes
includes only the given +filters+ and sets the +permitted+ attribute
Returns a new ActionController::Parameters instance that
def permit(*filters) params = self.class.new filters.flatten.each do |filter| case filter when Symbol, String permitted_scalar_filter(params, filter) when Hash then hash_filter(params, filter) end end unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters params.permit! end
def permit!
params.permitted? # => true
params.permit!
Person.new(params) # => ActiveModel::ForbiddenAttributesError
params.permitted? # => false
params = ActionController::Parameters.new(name: 'Francesco')
end
class Person < ActiveRecord::Base
mass assignment. Returns +self+.
Sets the +permitted+ attribute to +true+. This can be used to pass
def permit! each_pair do |key, value| Array.wrap(value).each do |v| v.permit! if v.respond_to? :permit! end end @permitted = true self end
def permitted=(new_permitted)
def permitted=(new_permitted) @permitted = new_permitted end
def permitted?
params.permit!
params.permitted? # => false
params = ActionController::Parameters.new
Returns +true+ if the parameter is permitted, +false+ otherwise.
def permitted? @permitted end
def permitted_scalar?(value)
def permitted_scalar?(value) PERMITTED_SCALAR_TYPES.any? {|type| value.is_a?(type)} end
def permitted_scalar_filter(params, key)
def permitted_scalar_filter(params, key) if has_key?(key) && permitted_scalar?(self[key]) params[key] = self[key] end keys.grep(/\A#{Regexp.escape(key)}\(\d+[if]?\)\z/) do |k| if permitted_scalar?(self[k]) params[k] = self[k] end end end
def require(key)
ActionController::Parameters.new(person: {}).require(:person)
# => ActionController::ParameterMissing: param not found: person
ActionController::Parameters.new(person: nil).require(:person)
# => {"name"=>"Francesco"}
ActionController::Parameters.new(person: { name: 'Francesco' }).require(:person)
ActionController::ParameterMissing error.
the parameter at the given +key+, otherwise raises an
Ensures that a parameter is present. If it's present, returns
def require(key) value = self[key] if value.present? || value == false value else raise ParameterMissing.new(key) end end
def select!(&block)
def select!(&block) convert_value_to_parameters(super) end
def slice(*keys)
params.slice(:a, :b) # => {"a"=>1, "b"=>2}
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
don't exist, returns an empty hash.
includes only the given +keys+. If the given +keys+
Returns a new ActionController::Parameters instance that
def slice(*keys) new_instance_with_inherited_permitted_status(super) end
def to_h
safe_params = params.permit(:name)
params.to_h # => {}
})
oddity: 'Heavy stone crab'
name: 'Senjougahara Hitagi',
params = ActionController::Parameters.new({
unpermitted keys removed.
Returns a safe +Hash+ representation of this parameter with all
def to_h if permitted? to_hash else slice(*self.class.always_permitted_parameters).permit!.to_h end end
def to_unsafe_h
def to_unsafe_h to_hash end
def transform_keys # :nodoc:
this object is +HashWithIndifferentAccess+
correct +permitted+ status. It should not matter since the parent of
This method is here only to make sure that the returned object has the
def transform_keys # :nodoc: if block_given? new_instance_with_inherited_permitted_status(super) else super end end
def transform_values
params.transform_values { |x| x * 2 }
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
running +block+ once for every value. The keys are unchanged.
Returns a new ActionController::Parameters with the results of
def transform_values if block_given? new_instance_with_inherited_permitted_status(super) else super end end
def unpermitted_keys(params)
def unpermitted_keys(params) self.keys - params.keys - self.always_permitted_parameters end
def unpermitted_parameters!(params)
def unpermitted_parameters!(params) unpermitted_keys = unpermitted_keys(params) if unpermitted_keys.any? case self.class.action_on_unpermitted_parameters when :log name = "unpermitted_parameters.action_controller" ActiveSupport::Notifications.instrument(name, keys: unpermitted_keys) when :raise raise ActionController::UnpermittedParameters.new(unpermitted_keys) end end end