I am huge fan of param_protected which I use instead of attr_accessible/attr_protected.

I think it’s not model thing to allow or deny attributes. Ok, maybe in case of User model I would protect it in controller and model too.

Anyway, it turns out that param_protected cuts out some really important parameters – like action or commit.

It is super easy to fix, but unfortunately it’s not mentioned in documentation. So, let’s add out parameters whitelist.

1
2
3
4
5

class ApplicationController < ActionController::Base
  param_accessible [:controller, :action, :id, :utf8, :commit]
  param_accessible [:authenticity_token] # this is for Devise
  param_accessible [:page], only: :index # this is for will_paginate/kaminari
end

controller, action and id are self-explanatory. utf8 and commit are used by Rails forms

I added some additional attributes:

• authenticity_token which is used by Devise (maybe some other auth gems too)
• page which is used by will_paginate/kaminari

page is allowed only on index action, because that’s where pagination is used

This post is rewrite of “param_protected wycina potrzebne parametry” from my previous blog.