Rails 4 Strong parameters : permit all attributes?

73
votes

I'm building a web app with Rails 4 strong parameters.

When building the admin back office controllers, I wonder what is the best way to permit all the model attributes?

For now, I wrote this:

def user_params 
  params.require(:user).permit(User.fields.keys)
end

Do you think of a better way?

4
ruby-on-railsruby-on-rails-3strong-parameters
Why? I only do this kind of things in my administration backoffice where I trust all the users.Nicolas Blanco
just because you trust them (and you shouldn't, but that's a different story), leaving all of your data open to be overwritten is a security hole waiting to be taken advantage ofsevenseacat
@sevenseacat at least he's asking if there's a better way to do it.Andrew Grimm
@AndrewGrimm yes, but he still wants to permit everything by default, which is an insecure thing to do and completely negates the point of strong parameters.sevenseacat
@Anwar 'because I can't be bothered typing the keys' is quite possibly the worst reason to bypass a security measure.sevenseacat

4 Answers

10
votes

Just in case someone need it for Rails 6, without even a model linked to your controller, you can use:

before_action :accept_all_params

private

def accept_all_params
  params.permit!
end

And done, now you can play with 🔥 as much as you want!

147
votes

You can call the bang version of permit.

params.require(:user).permit!

Strong Params README on Github

Source code for reference: 

def permit!
  each_pair do |key, value|
    convert_hashes_to_parameters(key, value)
    self[key].permit! if self[key].respond_to? :permit!
  end

  @permitted = true
  self
end
1
votes

Skull0inc's answer works, but you might want to remove created_at and updated_at. The intention of strong params is to list only the attributes you want updatable by the controller. Something like...

def user_params
  params.require(:user).permit(User.column_names - ["created_at", "updated_at"])
end
0
votes

Would this work?

def user_params 
  params.require(:user).permit(User.column_names)
end