Ruby on Rails

How to permit all parameters in Rails controller strong parameters

Sometimes, you are looking to permit all the parameters of your Rails model in controller strong parameters. Instead of specifying them explicitly, one by one, you can permit all of the model attributes. However, this is not a good practice for a production application. As the comment of the rails controller scaffold states as a reminder to: Never trust parameters from the scary internet, only allow the whitelist through.

To demonstrate the case, let’s assume that we have a model Post with two attributes, :title, :body. Strong parameters controller method looks like the following:

def post_params
  params.require(:post).permit(:title, :body)
end

In the above snippet, permit allows only the whitelisted attributes to be part of the post_params hash. To permit all model attributes, update permit declaration with the following:

params.require(:post).permit!

Just replace :post with the model name you want to permit all of its parameters. The permit! will mark :post parameters hash and any subhash of it as permitted.

At this point, it is very important to note that when using permit!, the controller will allow all current and future model attributes to get mass-assigned. However, in a production deployment, attribute mass-assignment should be avoided by an explicit specification of the allowed attributes.

Additional information: