class Devise::ParameterSanitizer

end
end
user.permit(newsletter_preferences: [])
devise_parameter_sanitizer.permit(:sign_up) do |user|
def configure_permitted_parameters
permitted in your controller.
permit nested parameters and have more control over how the parameters are
Using a block yields an ActionController::Parameters object so you can
end
end
devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
# sign up parameters.
# Permit the ‘subscribe_newsletter` parameter along with the other
def configure_permitted_parameters
protected
before_action :configure_permitted_parameters, if: :devise_controller?
class ApplicationController < ActionController::Base
in a before_action method, for instance.
You can add new parameters to the permitted list using the permit method
=== Permitting new parameters
extend or change the permitted parameters list on your controllers.
password_confirmation for the `RegistrationsController`), and you can
The sanitizer knows about Devise default parameters (like password and
for each Devise scope in the application.
The ParameterSanitizer deals with permitting specific parameters values

def cast_to_hash(params)

Returns an +ActiveSupport::HashWithIndifferentAccess+.

that can be used elsewhere.
Cast a sanitized +ActionController::Parameters+ to a +HashWithIndifferentAccess+ 
def cast_to_hash(params)
  # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
  params && params.to_h.with_indifferent_access
end

def default_params 

def default_params
  if hashable_resource_params?
    @params.fetch(@resource_name)
  else
    empty_params
  end
end

def empty_params 

def empty_params
  ActionController::Parameters.new({})
end

def extract_auth_keys(klass) 

def extract_auth_keys(klass)
  auth_keys = klass.authentication_keys
  auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
end

def hashable_resource_params? 

def hashable_resource_params?
  @params[@resource_name].respond_to?(:permit)
end

def initialize(resource_class, resource_name, params) 

def initialize(resource_class, resource_name, params)
  @auth_keys      = extract_auth_keys(resource_class)
  @params         = params
  @resource_name  = resource_name
  @permitted      = {}
  DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys|
    permit(action, keys: keys)
  end
end

def permit(action, keys: nil, except: nil, &block)

Returns nothing.


end
user.permit(:email, :password, :password_confirmation)
devise_parameter_sanitizer.permit(:sign_up) do |user|
# parameters for the `sign_up` action.
# Using the block form to completely override how we permit the

devise_parameter_sanitizer.permit(:account_update, except: [:password])
# Removing the `password` parameter from the `account_update` action.

devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
# Adding new parameters to be permitted in the `sign_up` action.

=== Examples

called with an +ActionController::Parameters+ instance.
parameters instead of the +Array+ based approach. The block will be
* +block+ - A block that should be used to permit the action
* +except:+ - An +Array+ of keys that shouldn't be permitted.
* +keys:+ - An +Array+ of keys that also should be permitted.
performing, like +sign_up+, +sign_in+, etc.
* +action+ - A +Symbol+ with the action that the controller is

=== Arguments

Add or remove new parameters to the permitted list of an +action+. 
def permit(action, keys: nil, except: nil, &block)
  if block_given?
    @permitted[action] = block
  end
  if keys.present?
    @permitted[action] ||= @auth_keys.dup
    @permitted[action].concat(keys)
  end
  if except.present?
    @permitted[action] ||= @auth_keys.dup
    @permitted[action] = @permitted[action] - except
  end
end

def permit_keys(parameters, keys) 

def permit_keys(parameters, keys)
  parameters.permit(*keys)
end

def sanitize(action)

attributes.
Returns an +ActiveSupport::HashWithIndifferentAccess+ with the permitted

resource.save
resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
# Inside the `RegistrationsController#create` action.

=== Examples

performing, like +sign_up+, +sign_in+, etc.
* +action+ - A +Symbol+ with the action that the controller is

=== Arguments

Sanitize the parameters for a specific +action+. 
def sanitize(action)
  permissions = @permitted[action]
  if permissions.respond_to?(:call)
    cast_to_hash permissions.call(default_params)
  elsif permissions.present?
    cast_to_hash permit_keys(default_params, permissions)
  else
    unknown_action!(action)
  end
end

def unknown_action!(action) 

def unknown_action!(action)
  raise NotImplementedError, <<-MESSAGE.strip_heredoc
    "Devise doesn't know how to sanitize parameters for '#{action}'".
    If you want to define a new set of parameters to be sanitized use the
    `permit` method first:
      devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, :param2, :param3])
  MESSAGE
end