1

I've gone through the documentation but I still can't get my head around the syntax/formatting.

I am pretty new in rails. I have this in my model:

attr_accessible :email, :username

Because of the changes in rails 4.0 this need to be moved over to my controller.

If I put this in my controller would it be correct(This is what I think documentation says to do but not sure if I interpreted correctly):

before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end

To me something like this makes more sense, can I do this?:

protected
  def permitted_paramters
    params.require(:username, :email).permit(:username, :email)
  end

Any suggestions appreciated, thanks.

user3408293
  • 1,377
  • 6
  • 18
  • 26
  • Have a look at this - http://stackoverflow.com/questions/11904105/devise-and-strong-parameters – cristian Mar 28 '14 at 09:59
  • You don't need `attr_accessible` in Rails 4 ;) – Richard Peck Mar 28 '14 at 10:14
  • @RichPeck so I should just leave it off completely and not do anything in my controllers? What do you mean? – user3408293 Mar 28 '14 at 10:42
  • Rails 4 uses `strong_params`, meaning you don't need any reference to `attr_accessible` any more! You should remove from your controllers – Richard Peck Mar 28 '14 at 10:43
  • Are you sure, in the documentation it says we need to move our attr_accessible to our controllers or the equivalent of it(protected, permitted params, etc). I'm extremely confused... – user3408293 Mar 28 '14 at 10:46

1 Answers1

0

While it would make more sense to do a params.require like everywhere else in your controllers you cannot do so here with Devise because:

  • Devise would need to know how you called your method (here permitted_parameters)
  • You don't want to filter these parameters for every controller

That is why you need to use Devise's devise_parameter_sanitizer and make sure to apply it only if you are on a devise_controller?.

As a side note, in your second example:

params.require(:username, :email).permit(:username, :email)

The require method should not take a list of attributes but the name under which attributes are grouped. On a different controller it should rather look like this:

params.require(:user).permit(:username, :email)

This would allow the following parameters:user[username]=Joe&user[email]=joe@example.org

Sunny
  • 5,825
  • 2
  • 31
  • 41
  • So was my interpretation of the documentation correct, would my first piece of code work or would I have to substitute some parameters somewhere? No where in that code does it say username or email so that is why it's not too intuitive to me. – user3408293 Mar 28 '14 at 10:44
  • Yes your first piece of code should work but it is only needed if you ask your users for more info than `email` and `password` on signup. If users need to enter a `username`, then you need to add this. – Sunny Mar 28 '14 at 10:50
  • There is a password confirmation field as well but that is aprt of the password and shouldn't require this either correct? – user3408293 Mar 28 '14 at 10:58