1

A question about if adding the :current_password attribute in the RegistrationController is the right way to go?

User model with include ActiveModel::ForbiddenAttributesProtection

# app/model/user.rb

class User < ActiveRecord::Base
include ActiveModel::ForbiddenAttributesProtection

Passwords controller that inherits from Devise's passwords controller

# app/controllers/users/passwords_controller.rb

class Users::PasswordsController < Devise::PasswordsController
  def resource_params
    params.require(:user).permit(:email, :password, :password_confirmation)
  end
  private :resource_params
end

Registration controller that inherits from Devise's registration controller

# app/controllers/users/registrations_controller.rb

class Users::RegistrationsController < Devise::RegistrationsController
  def resource_params
    params.require(:user).permit(:name, :email, :password, :password_confirmation, :current_password)
  end
  private :resource_params
end

Route for Devise to use specified users' passwords and registrations controller.

# config/routes.rb

devise_for :users, :controllers => {:registrations => "users/registrations", :passwords => "users/passwords"}

In the RegistrationsController I had to add the attribute :current_password for users to be able to edit their profile.

The reason I ask is without strong_parameters I would only specify an attr_accessible for :email, :password, :password_confirmation, :remember_me.

Any insights is much appreciated.

Wasabi Developer
  • 3,523
  • 6
  • 36
  • 60
  • Not sure if this is the best approach, wouldn't you rather want to put it on a user level, rather than on a registration level? – jfvanderwalt May 30 '13 at 07:45

1 Answers1

2

I believe your approach is the right one. At least it seems others are using it as well.

https://gist.github.com/kazpsp/3350730/#comment-833882 https://gist.github.com/bluemont/e304e65e7e15d77d3cb9

I suspect you've come across this already, but figured I'd answer for the sake of others who might find this question in the future.

EDIT: As the question (and my answer) was specifically aimed at the appropriateness of adding :current_password at the controller level vs the model (not sure how you'd even do the latter), the original part of my answer still stands. However, it seems that the latest mods to Devise (at least as of 3.0.0.rc) have eliminated the ability to override resource_params in favor of splitting that method out into several more specific methods, like sign_up_params, create_account_params, etc for more fine grained control. While I did get my app to work overriding these new methods individually, it seems the "before_filter" (before_action in rails 4) method described on the Devise README and referred to here is the preferred way, and likely more maintainable as well.

Community
  • 1
  • 1
soupdog
  • 335
  • 2
  • 9