Strong parameters with Rails and Devise

ruby-on-rails devise strong-parameters

I am using the rails 4.0 branch of devise along with ruby 2.0.0p0 and Rails 4.0.0.beta1.

This is the kind of question where I am checking if I'm doing it the right way, or if there are other things I should be doing. I'm sure a lot of people moving to Rails 4.0 are facing the same problems (after googling for similar things).

I have read the following links:

  • Devise and Strong Parameters
  • https://gist.github.com/kazpsp/3350730
  • https://github.com/plataformatec/devise/tree/rails4#strong-parameters

Now using devise I created a User model, I created the following controller using the above gists (and made sure to include it in my routes file). My extra parameters are first_name and last_name.

class Users::RegistrationsController < Devise::RegistrationsController
  def sign_up_params
    params.require(:user).permit(:first_name, :last_name, :email, :password, :password_confirmation)
  end
  def account_update_params
    params.require(:user).permit(:first_name, :last_name, :email, :password, :password_confirmation, :current_password)
  end
  private :sign_up_params
  private :account_update_params
end

Is there anything else I should be doing? Is this the best way of doing things from now on (since dropping attr_accessor). My forms seem to be working fine (both the new and update). The gists said to use "resource_params" but that always gave the "Unpermitted parameters" error in my server log.


Thanks for the latest updates on Rails4 branch of Devise, it doesn't really need to insert 'resource_params'.

I've created a brand new Rails4 app and followed basic Devise installation steps and my app works properly, so I think, you've done well.

But there is a modified gist which gives you some extra details in terms of permitted parameters if you need:

Source: https://gist.github.com/bluemont/e304e65e7e15d77d3cb9

# controllers/users/registrations_controller.rb
class Users::RegistrationsController < Devise::RegistrationsController

  before_filter :configure_permitted_parameters

  protected

  # my custom fields are :name, :heard_how
  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) do |u|
      u.permit(:name, :heard_how,
        :email, :password, :password_confirmation)
    end
    devise_parameter_sanitizer.for(:account_update) do |u|
      u.permit(:name,
        :email, :password, :password_confirmation, :current_password)
    end
  end
end

For Rails 5, Devise 4 Use this:

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, :email, :password, :password_confirmation])
  end
end

Reference

Related

Scrolling down in Chrome dev tools when paused in debugger
Multiple SQL statements in one roundtrip using Dapper.NET
How to find where a package is installed by pacman?
Does Swift have something like "ref" keyword that forces parameter to be passed by reference?
Manage cordova plugins with npm + package.json
Stripe Error: No signatures found matching the expected signature for payload
What is the difference between List and ForEach in SwiftUI?
Running an asynchronous operation triggered by an ASP.NET web page request
Does .Disposing a StreamWriter close the underlying stream?
How to configure log4j to log different log levels to different files for the same logger
What are the advantages of using an ExecutorService?
What is the difference between a tag and a branch in SVN?