How to permit all parameters in Rails controller strong parameters
Sometimes, you are looking to permit all the parameters of your Rails model in controller strong parameters. Instead of specifying them explicitly, one by one, you can permit all of the model attributes. However, this is not a good practice for a production application. As the comment of the rails controller scaffold states as a reminder to: Never trust parameters from the scary internet, only allow the whitelist through.
To demonstrate the case, let’s assume that we have a model Post with two attributes,
:body. Strong parameters controller method looks like the following:
def post_params params.require(:post).permit(:title, :body) end
In the above snippet,
permit allows only the whitelisted attributes to be part of the
post_params hash. To
permit all model attributes, update
permit declaration with the following:
:post with the model name you want to permit all of its parameters. The
permit! will mark
:post parameters hash and any subhash of it as permitted.
At this point, it is very important to note that when using
permit!, the controller will allow all current and future model attributes to get mass-assigned. However, in a production deployment, attribute mass-assignment should be avoided by an explicit specification of the allowed attributes.