This is a pattern often referred to
class ApplicationController < ActionController::Base
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
end
end
However, the practical application is missing context. The example of the reaction of a rails app with devise installed:
Unpermitted parameters: :municipal_id, :regionminor_id, :regionmajor_id, :login_name, :kee, :virtual_qr_code.
Context: { controller: Users::RegistrationsController, action: create, request: #<ActionDispatch::Request:0x0000000110c0ca40>,
params: {"authenticity_token"=>"[FILTERED]", "user"=>{
"email"=>"kk@nie.mi", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "name_first"=>"k",
"name_last"=>"k",
"public_persona"=>"",
"nation_id"=>"19",
"idiom_id"=>"14",
"municipal_other"=>"Comabbio",
"sex_id"=>"85",
"date_of_birth"=>"",
"conditions_accepted"=>"0"}, "commit"=>"Sign up", "controller"=>"users/registrations", "action"=>"create"} }
Note that NONE of the parameters that are deemed 'unpermitted' are being submitted by the form. And the role of strong parameters is to avoid injection by outside parties of unwanted parameters.
The above "unpermitted" parameters are object attirbutes, but processed by the application. Is there a way to specify this - in the pure sense of the strong parameter - other than resort to an after_commit action?
