Class: Devise::ParameterSanitizer

Inherits:

Object

• Object
• Devise::ParameterSanitizer

Defined in:

lib/devise/parameter_sanitizer.rb

Overview

The ParameterSanitizer deals with permitting specific parameters values for each Devise scope in the application.

The sanitizer knows about Devise default parameters (like password and password_confirmation for the RegistrationsController), and you can extend or change the permitted parameters list on your controllers.

Permitting new parameters

You can add new parameters to the permitted list using the permit method in a before_action method, for instance.

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    # Permit the `subscribe_newsletter` parameter along with the other
    # sign up parameters.
    devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
  end
end

Using a block yields an ActionController::Parameters object so you can permit nested parameters and have more control over how the parameters are permitted in your controller.

def configure_permitted_parameters
  devise_parameter_sanitizer.permit(:sign_up) do |user|
    user.permit(newsletter_preferences: [])
  end
end

Constant Summary

DEFAULT_PERMITTED_ATTRIBUTES =

{
  sign_in: [:password, :remember_me],
  sign_up: [:password, :password_confirmation],
  account_update: [:password, :password_confirmation, :current_password]
}

Instance Method Summary

• #initialize(resource_class, resource_name, params) ⇒ ParameterSanitizer constructor

  A new instance of ParameterSanitizer.

• #permit(action, keys: nil, except: nil, &block) ⇒ Object

  Add or remove new parameters to the permitted list of an action.

• #sanitize(action) ⇒ Object

  Sanitize the parameters for a specific action.

Constructor Details

#initialize(resource_class, resource_name, params) ⇒ ParameterSanitizer

Returns a new instance of ParameterSanitizer.

# File 'lib/devise/parameter_sanitizer.rb', line 44

def initialize(resource_class, resource_name, params)
  @auth_keys      = extract_auth_keys(resource_class)
  @params         = params
  @resource_name  = resource_name
  @permitted      = {}

  DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys|
    permit(action, keys: keys)
  end
end

Instance Method Details

#permit(action, keys: nil, except: nil, &block) ⇒ Object

Add or remove new parameters to the permitted list of an action.

Arguments

• action - A Symbol with the action that the controller is performing, like sign_up, sign_in, etc.

• keys: - An Array of keys that also should be permitted.

• except: - An Array of keys that shouldn’t be permitted.

• block - A block that should be used to permit the action parameters instead of the Array based approach. The block will be called with an ActionController::Parameters instance.

Examples

# Adding new parameters to be permitted in the `sign_up` action.
devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])

# Removing the `password` parameter from the `account_update` action.
devise_parameter_sanitizer.permit(:account_update, except: [:password])

# Using the block form to completely override how we permit the
# parameters for the `sign_up` action.
devise_parameter_sanitizer.permit(:sign_up) do |user|
  user.permit(:email, :password, :password_confirmation)
end

Returns nothing.

# File 'lib/devise/parameter_sanitizer.rb', line 110

def permit(action, keys: nil, except: nil, &block)
  if block_given?
    @permitted[action] = block
  end

  if keys.present?
    @permitted[action] ||= @auth_keys.dup
    @permitted[action].concat(keys)
  end

  if except.present?
    @permitted[action] ||= @auth_keys.dup
    @permitted[action] = @permitted[action] - except
  end
end

#sanitize(action) ⇒ Object

Sanitize the parameters for a specific action.

Arguments

• action - A Symbol with the action that the controller is performing, like sign_up, sign_in, etc.

Examples

# Inside the `RegistrationsController#create` action.
resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
resource.save

Returns an ActiveSupport::HashWithIndifferentAccess with the permitted attributes.

# File 'lib/devise/parameter_sanitizer.rb', line 70

def sanitize(action)
  permissions = @permitted[action]

  if permissions.respond_to?(:call)
    cast_to_hash permissions.call(default_params)
  elsif permissions.present?
    cast_to_hash permit_keys(default_params, permissions)
  else
    unknown_action!(action)
  end
end