How do I get Devise 3.4 to permit Parameters Rails 4.2

Question

Suggestions on how to improve this question are welcome

I added 3 things to the Devise user after generating it.

t.integer  "role"
t.string   "firstname"
t.string   "lastname"

At User Signup these parameters are permitted and user is created correctly.

When a user tries to edit their account the "firstname" and "lastname" values can be changed fine but when a user tries to change their role on their /users/edit page, no error is given, flash says "account updated successfully" but the role value have not changed.

From /log/development.log showing all 3 parameters as unpermitted, if this really is the case I don't know why the other two can be updated.

Parameters: {"utf8"=>"✓", "authenticity_token"=>"LnVPFFJKV+RtnB21ZUGr4HF1siVcEuT/BRXaLVkch1nWQXiGRFVGhdWchlQSZ9A7mFgKX2njEjCbqR4CHp5hmQ==", "user"=>{"role"=>"worker", "firstname"=>"asdfDe Wet", "lastname"=>"Blomerus", "email"=>"dewet@blomerus.org", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "current_password"=>"[FILTERED]"}, "commit"=>"Update"}
  [1m[36mUser Load (0.8ms)[0m  [1mSELECT  "users".* FROM "users" WHERE "users"."id" = $1  ORDER BY "users"."id" ASC LIMIT 1[0m  [["id", 6]]
  [1m[35mUser Load (0.4ms)[0m  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT 1  [["id", 6]]
Unpermitted parameters: role, firstname, lastname
Redirected to http://localhost:3000/
Completed 302 Found in 84ms (ActiveRecord: 1.5ms)

/config/initializers/devise_permitted_parameters.rb

module DevisePermittedParameters
  extend ActiveSupport::Concern

  included do
    before_filter :configure_permitted_parameters
  end

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << [:firstname, :lastname, :role]
    devise_parameter_sanitizer.for(:account_update) << [:firstname, :lastname, :role]
  end

end

DeviseController.send :include, DevisePermittedParameters

Relevant parts of /app/controllers/users_controller.rb

def update
  @user = User.find(params[:id])
  if @user.update_attributes(secure_params)
    redirect_to users_path, :notice => "User updated."
  else
    redirect_to users_path, :alert => "Unable to update user."
  end
end

private

def secure_params
  params.require(:user).permit(:role, :firstname, :lastname)
end

The update action never runs, I can completely comment it out and nothing changes.

Answer 1

This is what works for me with devise:

I change the users/registrations_controller.rb

class Users::RegistrationsController < Devise::RegistrationsController
  before_action :configure_permitted_parameters, only: [:create]
  before_filter :configure_account_update_params, only: [:update]

  def create
   super
  end

  # GET /resource/edit
  def edit
    super
  end

  # PUT /resource
  def update
    super
  end

  # DELETE /resource
   def destroy
       super
   end

  protected

def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) do |u|
      u.permit(:first_name, :last_name, :user_name, :email, :password, :password_confirmation, :avatar, :avatar_cache)
    end
end

def configure_account_update_params
    devise_parameter_sanitizer.for(:account_update)do |u|
      u.permit(:first_name, :last_name, :user_name, :email, :password, :password_confirmation, :current_password, :avatar, :avatar_cache)
  end
end

I don't define any update action in the users_controller.rb . It is not needed. Also, I don;t use any type of module that you are defining and it works fine.