Class: Devise::ParameterSanitizer
- Inherits:
-
Object
- Object
- Devise::ParameterSanitizer
- Defined in:
- lib/devise/parameter_sanitizer.rb
Overview
The ParameterSanitizer
deals with permitting specific parameters values for each Devise
scope in the application.
The sanitizer knows about Devise default parameters (like password
and password_confirmation
for the ‘RegistrationsController`), and you can extend or change the permitted parameters list on your controllers.
Permitting new parameters
You can add new parameters to the permitted list using the permit
method in a before_action
method, for instance.
class ApplicationController < ActionController::Base
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
# Permit the `subscribe_newsletter` parameter along with the other
# sign up parameters.
devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
end
end
Using a block yields an ActionController::Parameters
object so you can permit nested parameters and have more control over how the parameters are permitted in your controller.
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up) do |user|
user.permit(newsletter_preferences: [])
end
end
Constant Summary collapse
- DEFAULT_PERMITTED_ATTRIBUTES =
{ sign_in: [:password, :remember_me], sign_up: [:password, :password_confirmation], account_update: [:password, :password_confirmation, :current_password] }
Instance Method Summary collapse
-
#initialize(resource_class, resource_name, params) ⇒ ParameterSanitizer
constructor
A new instance of ParameterSanitizer.
-
#permit(action, keys: nil, except: nil, &block) ⇒ Object
Add or remove new parameters to the permitted list of an
action
. -
#sanitize(action) ⇒ Object
Sanitize the parameters for a specific
action
.
Constructor Details
#initialize(resource_class, resource_name, params) ⇒ ParameterSanitizer
Returns a new instance of ParameterSanitizer.
44 45 46 47 48 49 50 51 52 53 |
# File 'lib/devise/parameter_sanitizer.rb', line 44 def initialize(resource_class, resource_name, params) @auth_keys = extract_auth_keys(resource_class) @params = params @resource_name = resource_name @permitted = {} DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys| permit(action, keys: keys) end end |
Instance Method Details
#permit(action, keys: nil, except: nil, &block) ⇒ Object
Add or remove new parameters to the permitted list of an action
.
Arguments
-
action
- ASymbol
with the action that the controller is performing, likesign_up
,sign_in
, etc. -
keys:
- AnArray
of keys that also should be permitted. -
except:
- AnArray
of keys that shouldn’t be permitted. -
block
- A block that should be used to permit the action parameters instead of theArray
based approach. The block will be called with anActionController::Parameters
instance.
Examples
# Adding new parameters to be permitted in the `sign_up` action.
devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
# Removing the `password` parameter from the `account_update` action.
devise_parameter_sanitizer.permit(:account_update, except: [:password])
# Using the block form to completely override how we permit the
# parameters for the `sign_up` action.
devise_parameter_sanitizer.permit(:sign_up) do |user|
user.permit(:email, :password, :password_confirmation)
end
Returns nothing.
110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
# File 'lib/devise/parameter_sanitizer.rb', line 110 def permit(action, keys: nil, except: nil, &block) if block_given? @permitted[action] = block end if keys.present? @permitted[action] ||= @auth_keys.dup @permitted[action].concat(keys) end if except.present? @permitted[action] ||= @auth_keys.dup @permitted[action] = @permitted[action] - except end end |
#sanitize(action) ⇒ Object
Sanitize the parameters for a specific action
.
Arguments
-
action
- ASymbol
with the action that the controller is performing, likesign_up
,sign_in
, etc.
Examples
# Inside the `RegistrationsController#create` action.
resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
resource.save
Returns an ActiveSupport::HashWithIndifferentAccess
with the permitted attributes.
70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/devise/parameter_sanitizer.rb', line 70 def sanitize(action) = @permitted[action] if .respond_to?(:call) cast_to_hash .call(default_params) elsif .present? cast_to_hash permit_keys(default_params, ) else unknown_action!(action) end end |