0

I am using rails 4 with strong parameters and trying to figure out how to set the strong parameters to not allow any attribute with the parameter.

I read this Rails 4 Strong parameters : permit all attributes? And would like to do the opposite of that.

params.require(:user).permit!

would permit all attributes, how could I do the opposite?

UPDATE THIS IS MY FULL CODE:

in app/controllers/application_controller.rb

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
      devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:username, :email, :password, :password_confirmation, :remember_me) }
      devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:signin, :password, :remember_me) }
      devise_parameter_sanitizer.for(:account_update) {|u| u.permit(:username, :email, :password, :password_confirmation, :current_password)}
      devise_parameter_sanitizer.for(:sign_in) { |a| a.permit(:signin, :password, :remember_me) }
      devise_parameter_sanitizer.for(:account_update) {|a| a.permit(:username, :email, :password, :password_confirmation, :current_password)}
  end
end

in app/models/admin.rb

    class Admin < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable and :omniauthable, :registerable
  devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable

  attr_accessor :signin

  def self.find_first_by_auth_conditions(warden_conditions)
      conditions = warden_conditions.dup
      if login = conditions.delete(:signin)
        where(conditions).where(["username = :value OR lower(email) = lower(:value)", { :value => login }]).first
      else
        where(conditions).first
      end
    end

  validates :username, presence: true, length: {maximum: 255}, uniqueness: { case_sensitive: false }, format: { with: /\A[a-zA-Z0-9]*\z/, message: "may only contain letters and numbers." }
end

The users.rb model is the same as the admin.rb model. This leads to two different sign up/sign in links- 1 for each model. Also I need to leave the :registerable module so that I can override the default devise's registerable module. However I modified the views to not show the admin page when typed in a browser. --- I only need to block it via command line now.

I also have posted a previous question similar to this:

Rails 4 Devise Strong Parameters Admin Model

Community
  • 1
  • 1
Daniel
  • 2,950
  • 2
  • 25
  • 45

2 Answers2

0

If you're not using any user-inputted parameters (like for a GET), you don't need to use params at all. Your controller will just work, and there won't be a security issue.

Ari
  • 2,311
  • 1
  • 17
  • 17
  • I am using devise and trying to set the admin model allowing no one to sign_up – Daniel Dec 11 '13 at 04:11
  • Strong parameters are not used in models - if you have no controller or route for people to sign up, there won't be a way for them to do that. – Ari Dec 11 '13 at 04:15
  • I have deleted the :registerable module from the admin model, but I believe that someone can still create an admin from the terminal giving them access to my site. – Daniel Dec 11 '13 at 04:19
  • Will anyone from the Internet have access to a shell on your webserver with permissions to write to the app directory? – Ari Dec 11 '13 at 04:23
  • No but I don't understand the point of Strong Parameters. (I get that its to choose what the user can pass into the database- and I don't want them to pass anything) I thought the site is not secure if you allow any parameter to be passed. – Daniel Dec 11 '13 at 04:29
  • You might want to read a bit more about strong parameters from the docs: http://guides.rubyonrails.org/action_controller_overview.html#strong-parameters Also, the Devise README mentions that you should be comfortable with using Rails before using Devise, so it may be worth trying to implement your own simple authentication first so that you are more familiar with the patterns involved. – Ari Dec 11 '13 at 14:43
  • Thanks for the docs link, yeah I have completed http://ruby.railstutorial.org/ multiple times and I am attempting to understand devise by working through it now. I am also using a book called Learning Devise for Rails – Daniel Dec 11 '13 at 17:03
0

The default behavior is the opposite of .permit. If you don't mention an attribute in your params arguments, it is like denying the user access to do anything with those attributes.

Philip7899
  • 4,599
  • 4
  • 55
  • 114
  • That is what I thought also, but when I do not permit anything it allows for admins to sign up which is what I do not want. – Daniel Dec 11 '13 at 16:58
  • you might want to use a before_create in your user model and block admins from signing up there. Can you post your attributes and a little more code - its hard to understand what you're trying to do with the little code you've provided. Thanks. – Philip7899 Dec 11 '13 at 17:14
  • What if I have done `params.permit!` now I want to reverse it back to the default, how can I do that? – barlop Feb 16 '18 at 01:54