I think it’s not model thing to allow or deny attributes. Ok, maybe in case of User model I would protect it in controller and model too.
Anyway, it turns out that param_protected cuts out some really important parameters – like
It is super easy to fix, but unfortunately it’s not mentioned in documentation. So, let’s add out parameters whitelist.
1 2 3 4 5
id are self-explanatory.
commit are used by Rails forms
I added some additional attributes:
authenticity_tokenwhich is used by Devise (maybe some other auth gems too)
pagewhich is used by will_paginate/kaminari
page is allowed only on
index action, because that’s where pagination is used
This post is rewrite of “param_protected wycina potrzebne parametry” from my previous blog.