Class: Devise::ParameterSanitizer

Inherits:
Object
  • Object
show all
Defined in:
lib/devise/parameter_sanitizer.rb

Overview

The ParameterSanitizer deals with permitting specific parameters values for each Devise scope in the application.

The sanitizer knows about Devise default parameters (like password and password_confirmation for the ‘RegistrationsController`), and you can extend or change the permitted parameters list on your controllers.

Permitting new parameters

You can add new parameters to the permitted list using the permit method in a before_action method, for instance.

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    # Permit the `subscribe_newsletter` parameter along with the other
    # sign up parameters.
    devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
  end
end

Using a block yields an ActionController::Parameters object so you can permit nested parameters and have more control over how the parameters are permitted in your controller.

def configure_permitted_parameters
  devise_parameter_sanitizer.permit(:sign_up) do |user|
    user.permit(newsletter_preferences: [])
  end
end

Constant Summary collapse

DEFAULT_PERMITTED_ATTRIBUTES =
{
  sign_in: [:password, :remember_me],
  sign_up: [:password, :password_confirmation],
  account_update: [:password, :password_confirmation, :current_password]
}

Instance Method Summary collapse

Constructor Details

#initialize(resource_class, resource_name, params) ⇒ ParameterSanitizer

Returns a new instance of ParameterSanitizer.



44
45
46
47
48
49
50
51
52
53
# File 'lib/devise/parameter_sanitizer.rb', line 44

def initialize(resource_class, resource_name, params)
  @auth_keys      = extract_auth_keys(resource_class)
  @params         = params
  @resource_name  = resource_name
  @permitted      = {}

  DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys|
    permit(action, keys: keys)
  end
end

Instance Method Details

#permit(action, keys: nil, except: nil, &block) ⇒ Object

Add or remove new parameters to the permitted list of an action.

Arguments

  • action - A Symbol with the action that the controller is performing, like sign_up, sign_in, etc.

  • keys: - An Array of keys that also should be permitted.

  • except: - An Array of keys that shouldn’t be permitted.

  • block - A block that should be used to permit the action parameters instead of the Array based approach. The block will be called with an ActionController::Parameters instance.

Examples

# Adding new parameters to be permitted in the `sign_up` action.
devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])

# Removing the `password` parameter from the `account_update` action.
devise_parameter_sanitizer.permit(:account_update, except: [:password])

# Using the block form to completely override how we permit the
# parameters for the `sign_up` action.
devise_parameter_sanitizer.permit(:sign_up) do |user|
  user.permit(:email, :password, :password_confirmation)
end

Returns nothing.



110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# File 'lib/devise/parameter_sanitizer.rb', line 110

def permit(action, keys: nil, except: nil, &block)
  if block_given?
    @permitted[action] = block
  end

  if keys.present?
    @permitted[action] ||= @auth_keys.dup
    @permitted[action].concat(keys)
  end

  if except.present?
    @permitted[action] ||= @auth_keys.dup
    @permitted[action] = @permitted[action] - except
  end
end

#sanitize(action) ⇒ Object

Sanitize the parameters for a specific action.

Arguments

  • action - A Symbol with the action that the controller is performing, like sign_up, sign_in, etc.

Examples

# Inside the `RegistrationsController#create` action.
resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
resource.save

Returns an ActiveSupport::HashWithIndifferentAccess with the permitted attributes.



70
71
72
73
74
75
76
77
78
79
80
# File 'lib/devise/parameter_sanitizer.rb', line 70

def sanitize(action)
  permissions = @permitted[action]

  if permissions.respond_to?(:call)
    cast_to_hash permissions.call(default_params)
  elsif permissions.present?
    cast_to_hash permit_keys(default_params, permissions)
  else
    unknown_action!(action)
  end
end