Class: ActionController::Parameters
- Inherits:
-
Object
- Object
- ActionController::Parameters
- Includes:
- ActiveSupport::DeepMergeable
- Defined in:
- lib/action_controller/metal/strong_parameters.rb
Overview
# Action Controller Parameters
Allows you to choose which attributes should be permitted for mass updating and thus prevent accidentally exposing that which shouldn’t be exposed.
Provides methods for filtering and requiring params:
-
‘expect` to safely permit and require parameters in one step.
-
‘permit` to filter params for mass assignment.
-
‘require` to require a parameter or raise an error.
Examples:
params = ActionController::Parameters.new({
person: {
name: "Francesco",
age: 22,
role: "admin"
}
})
permitted = params.expect(person: [:name, :age])
permitted # => #<ActionController::Parameters {"name"=>"Francesco", "age"=>22} permitted: true>
Person.first.update!(permitted)
# => #<Person id: 1, name: "Francesco", age: 22, role: "user">
Parameters provides two options that control the top-level behavior of new instances:
-
‘permit_all_parameters` - If it’s ‘true`, all the parameters will be permitted by default. The default is `false`.
-
‘action_on_unpermitted_parameters` - Controls behavior when parameters that are not explicitly permitted are found. The default value is `:log` in test and development environments, `false` otherwise. The values can be:
-
‘false` to take no action.
-
‘:log` to emit an `ActiveSupport::Notifications.instrument` event on the `unpermitted_parameters.action_controller` topic and log at the DEBUG level.
-
‘:raise` to raise an ActionController::UnpermittedParameters exception.
-
Examples:
params = ActionController::Parameters.new
params.permitted? # => false
ActionController::Parameters.permit_all_parameters = true
params = ActionController::Parameters.new
params.permitted? # => true
params = ActionController::Parameters.new(a: "123", b: "456")
params.permit(:c)
# => #<ActionController::Parameters {} permitted: true>
ActionController::Parameters.action_on_unpermitted_parameters = :raise
params = ActionController::Parameters.new(a: "123", b: "456")
params.permit(:c)
# => ActionController::UnpermittedParameters: found unpermitted keys: a, b
Please note that these options *are not thread-safe*. In a multi-threaded environment they should only be set once at boot-time and never mutated at runtime.
You can fetch values of ‘ActionController::Parameters` using either `:key` or `“key”`.
params = ActionController::Parameters.new(key: "value")
params[:key] # => "value"
params["key"] # => "value"
Class Method Summary collapse
-
.hook_into_yaml_loading ⇒ Object
:nodoc:.
-
.nested_attribute?(key, value) ⇒ Boolean
:nodoc:.
Instance Method Summary collapse
-
#==(other) ⇒ Object
Returns true if another ‘Parameters` object contains the same content and permitted flag.
-
#[](key) ⇒ Object
Returns a parameter for the given ‘key`.
-
#[]=(key, value) ⇒ Object
Assigns a value to a given ‘key`.
-
#compact ⇒ Object
Returns a new ‘ActionController::Parameters` instance with `nil` values removed.
-
#compact! ⇒ Object
Removes all ‘nil` values in place and returns `self`, or `nil` if no changes were made.
-
#compact_blank ⇒ Object
Returns a new ‘ActionController::Parameters` instance without the blank values.
-
#compact_blank! ⇒ Object
Removes all blank values in place and returns self.
-
#converted_arrays ⇒ Object
Attribute that keeps track of converted arrays, if any, to avoid double looping in the common use case permit + mass-assignment.
-
#deep_dup ⇒ Object
Returns a duplicate ‘ActionController::Parameters` instance with the same permitted parameters.
-
#deep_merge?(other_hash) ⇒ Boolean
:nodoc:.
-
#deep_transform_keys(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with the results of running `block` once for every key.
-
#deep_transform_keys!(&block) ⇒ Object
Returns the same ‘ActionController::Parameters` instance with changed keys.
-
#delete(key, &block) ⇒ Object
Deletes a key-value pair from ‘Parameters` and returns the value.
-
#dig(*keys) ⇒ Object
Extracts the nested parameter from the given ‘keys` by calling `dig` at each step.
-
#each_pair(&block) ⇒ Object
(also: #each)
Convert all hashes in values into parameters, then yield each pair in the same way as ‘Hash#each_pair`.
-
#each_value(&block) ⇒ Object
Convert all hashes in values into parameters, then yield each value in the same way as ‘Hash#each_value`.
-
#encode_with(coder) ⇒ Object
:nodoc:.
- #eql?(other) ⇒ Boolean
-
#except(*keys) ⇒ Object
(also: #without)
Returns a new ‘ActionController::Parameters` instance that filters out the given `keys`.
-
#expect(*filters) ⇒ Object
‘expect` is the preferred way to require and permit parameters.
-
#expect!(*filters) ⇒ Object
Same as ‘expect`, but raises an `ActionController::ExpectedParameterMissing` instead of `ActionController::ParameterMissing`.
-
#extract!(*keys) ⇒ Object
Removes and returns the key/value pairs matching the given keys.
-
#extract_value(key, delimiter: "_") ⇒ Object
Returns parameter value for the given ‘key` separated by `delimiter`.
-
#fetch(key, *args) ⇒ Object
Returns a parameter for the given ‘key`.
-
#has_value?(value) ⇒ Boolean
(also: #value?)
Returns true if the given value is present for some key in the parameters.
- #hash ⇒ Object
-
#init_with(coder) ⇒ Object
:nodoc:.
-
#initialize(parameters = {}, logging_context = {}) ⇒ Parameters
constructor
Returns a new ‘ActionController::Parameters` instance.
- #inspect ⇒ Object
-
#keys ⇒ Object
:method: to_s.
-
#merge(other_hash) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with all keys from `other_hash` merged into current hash.
-
#merge!(other_hash, &block) ⇒ Object
:call-seq: merge!(other_hash).
-
#permit(*filters) ⇒ Object
Returns a new ‘ActionController::Parameters` instance that includes only the given `filters` and sets the `permitted` attribute for the object to `true`.
-
#permit! ⇒ Object
Sets the ‘permitted` attribute to `true`.
-
#permitted? ⇒ Boolean
Returns ‘true` if the parameter is permitted, `false` otherwise.
-
#reject(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with items that the block evaluates to true removed.
-
#reject!(&block) ⇒ Object
(also: #delete_if)
Removes items that the block evaluates to true and returns self.
-
#require(key) ⇒ Object
(also: #required)
This method accepts both a single key and an array of keys.
-
#reverse_merge(other_hash) ⇒ Object
(also: #with_defaults)
Returns a new ‘ActionController::Parameters` instance with all keys from current hash merged into `other_hash`.
-
#reverse_merge!(other_hash) ⇒ Object
(also: #with_defaults!)
Returns the current ‘ActionController::Parameters` instance with current hash merged into `other_hash`.
-
#select(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with only items that the block evaluates to true.
-
#select!(&block) ⇒ Object
(also: #keep_if)
Equivalent to Hash#keep_if, but returns ‘nil` if no changes were made.
-
#slice(*keys) ⇒ Object
Returns a new ‘ActionController::Parameters` instance that includes only the given `keys`.
-
#slice!(*keys) ⇒ Object
Returns the current ‘ActionController::Parameters` instance which contains only the given `keys`.
-
#stringify_keys ⇒ Object
This is required by ActiveModel attribute assignment, so that user can pass ‘Parameters` to a mass assignment methods in a model.
-
#to_h(&block) ⇒ Object
Returns a safe ActiveSupport::HashWithIndifferentAccess representation of the parameters with all unpermitted keys removed.
-
#to_hash ⇒ Object
Returns a safe ‘Hash` representation of the parameters with all unpermitted keys removed.
-
#to_query(*args) ⇒ Object
(also: #to_param)
Returns a string representation of the receiver suitable for use as a URL query string:.
-
#to_unsafe_h ⇒ Object
(also: #to_unsafe_hash)
Returns an unsafe, unfiltered ActiveSupport::HashWithIndifferentAccess representation of the parameters.
-
#transform_keys(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with the results of running `block` once for every key.
-
#transform_keys!(&block) ⇒ Object
Performs keys transformation and returns the altered ‘ActionController::Parameters` instance.
-
#transform_values ⇒ Object
Returns a new ‘ActionController::Parameters` instance with the results of running `block` once for every value.
-
#transform_values! ⇒ Object
Performs values transformation and returns the altered ‘ActionController::Parameters` instance.
-
#values ⇒ Object
Returns a new array of the values of the parameters.
-
#values_at(*keys) ⇒ Object
Returns values that were assigned to the given ‘keys`.
Constructor Details
#initialize(parameters = {}, logging_context = {}) ⇒ Parameters
Returns a new ‘ActionController::Parameters` instance. Also, sets the `permitted` attribute to the default value of `ActionController::Parameters.permit_all_parameters`.
class Person < ActiveRecord::Base
end
params = ActionController::Parameters.new(name: "Francesco")
params.permitted? # => false
Person.new(params) # => ActiveModel::ForbiddenAttributesError
ActionController::Parameters.permit_all_parameters = true
params = ActionController::Parameters.new(name: "Francesco")
params.permitted? # => true
Person.new(params) # => #<Person id: nil, name: "Francesco">
287 288 289 290 291 292 293 294 295 296 297 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 287 def initialize(parameters = {}, logging_context = {}) parameters.each_key do |key| unless key.is_a?(String) || key.is_a?(Symbol) raise InvalidParameterKey, "all keys must be Strings or Symbols, got: #{key.class}" end end @parameters = parameters.with_indifferent_access @logging_context = logging_context @permitted = self.class.permit_all_parameters end |
Class Method Details
.hook_into_yaml_loading ⇒ Object
:nodoc:
1059 1060 1061 1062 1063 1064 1065 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1059 def self.hook_into_yaml_loading # :nodoc: # Wire up YAML format compatibility with Rails 4.2 and Psych 2.0.8 and 2.0.9+. # Makes the YAML parser call `init_with` when it encounters the keys below # instead of trying its own parsing routines. YAML.["!ruby/hash-with-ivars:ActionController::Parameters"] = name YAML.["!ruby/hash:ActionController::Parameters"] = name end |
.nested_attribute?(key, value) ⇒ Boolean
:nodoc:
266 267 268 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 266 def nested_attribute?(key, value) # :nodoc: /\A-?\d+\z/.match?(key) && (value.is_a?(Hash) || value.is_a?(Parameters)) end |
Instance Method Details
#==(other) ⇒ Object
Returns true if another ‘Parameters` object contains the same content and permitted flag.
301 302 303 304 305 306 307 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 301 def ==(other) if other.respond_to?(:permitted?) permitted? == other.permitted? && parameters == other.parameters else super end end |
#[](key) ⇒ Object
Returns a parameter for the given ‘key`. If not found, returns `nil`.
params = ActionController::Parameters.new(person: { name: "Francesco" })
params[:person] # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
params[:none] # => nil
797 798 799 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 797 def [](key) convert_hashes_to_parameters(key, @parameters[key]) end |
#[]=(key, value) ⇒ Object
Assigns a value to a given ‘key`. The given key may still get filtered out when #permit is called.
803 804 805 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 803 def []=(key, value) @parameters[key] = value end |
#compact ⇒ Object
Returns a new ‘ActionController::Parameters` instance with `nil` values removed.
974 975 976 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 974 def compact new_instance_with_inherited_permitted_status(@parameters.compact) end |
#compact! ⇒ Object
Removes all ‘nil` values in place and returns `self`, or `nil` if no changes were made.
980 981 982 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 980 def compact! self if @parameters.compact! end |
#compact_blank ⇒ Object
Returns a new ‘ActionController::Parameters` instance without the blank values. Uses Object#blank? for determining if a value is blank.
986 987 988 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 986 def compact_blank reject { |_k, v| v.blank? } end |
#compact_blank! ⇒ Object
Removes all blank values in place and returns self. Uses Object#blank? for determining if a value is blank.
992 993 994 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 992 def compact_blank! reject! { |_k, v| v.blank? } end |
#converted_arrays ⇒ Object
Attribute that keeps track of converted arrays, if any, to avoid double looping in the common use case permit + mass-assignment. Defined in a method to instantiate it only if needed.
Testing membership still loops, but it’s going to be faster than our own loop that converts values. Also, we are not going to build a new array object per fetch.
435 436 437 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 435 def converted_arrays @converted_arrays ||= Set.new end |
#deep_dup ⇒ Object
Returns a duplicate ‘ActionController::Parameters` instance with the same permitted parameters.
1092 1093 1094 1095 1096 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1092 def deep_dup self.class.new(@parameters.deep_dup, @logging_context).tap do |duplicate| duplicate.permitted = @permitted end end |
#deep_merge?(other_hash) ⇒ Boolean
:nodoc:
1027 1028 1029 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1027 def deep_merge?(other_hash) # :nodoc: other_hash.is_a?(ActiveSupport::DeepMergeable) end |
#deep_transform_keys(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with the results of running `block` once for every key. This includes the keys from the root hash and from all nested hashes and arrays. The values are unchanged.
924 925 926 927 928 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 924 def deep_transform_keys(&block) new_instance_with_inherited_permitted_status( _deep_transform_keys_in_object(@parameters, &block).to_unsafe_h ) end |
#deep_transform_keys!(&block) ⇒ Object
Returns the same ‘ActionController::Parameters` instance with changed keys. This includes the keys from the root hash and from all nested hashes and arrays. The values are unchanged.
933 934 935 936 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 933 def deep_transform_keys!(&block) @parameters = _deep_transform_keys_in_object(@parameters, &block).to_unsafe_h self end |
#delete(key, &block) ⇒ Object
Deletes a key-value pair from ‘Parameters` and returns the value. If `key` is not found, returns `nil` (or, with optional code block, yields `key` and returns the result). This method is similar to #extract!, which returns the corresponding `ActionController::Parameters` object.
942 943 944 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 942 def delete(key, &block) convert_value_to_parameters(@parameters.delete(key, &block)) end |
#dig(*keys) ⇒ Object
Extracts the nested parameter from the given ‘keys` by calling `dig` at each step. Returns `nil` if any intermediate step is `nil`.
params = ActionController::Parameters.new(foo: { bar: { baz: 1 } })
params.dig(:foo, :bar, :baz) # => 1
params.dig(:foo, :zot, :xyz) # => nil
params2 = ActionController::Parameters.new(foo: [10, 11, 12])
params2.dig(:foo, 1) # => 11
841 842 843 844 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 841 def dig(*keys) convert_hashes_to_parameters(keys.first, @parameters[keys.first]) @parameters.dig(*keys) end |
#each_pair(&block) ⇒ Object Also known as: each
Convert all hashes in values into parameters, then yield each pair in the same way as ‘Hash#each_pair`.
402 403 404 405 406 407 408 409 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 402 def each_pair(&block) return to_enum(__callee__) unless block_given? @parameters.each_pair do |key, value| yield [key, convert_hashes_to_parameters(key, value)] end self end |
#each_value(&block) ⇒ Object
Convert all hashes in values into parameters, then yield each value in the same way as ‘Hash#each_value`.
414 415 416 417 418 419 420 421 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 414 def each_value(&block) return to_enum(:each_value) unless block_given? @parameters.each_pair do |key, value| yield convert_hashes_to_parameters(key, value) end self end |
#encode_with(coder) ⇒ Object
:nodoc:
1086 1087 1088 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1086 def encode_with(coder) # :nodoc: coder.map = { "parameters" => @parameters, "permitted" => @permitted } end |
#eql?(other) ⇒ Boolean
309 310 311 312 313 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 309 def eql?(other) self.class == other.class && permitted? == other.permitted? && parameters.eql?(other.parameters) end |
#except(*keys) ⇒ Object Also known as: without
Returns a new ‘ActionController::Parameters` instance that filters out the given `keys`.
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.except(:a, :b) # => #<ActionController::Parameters {"c"=>3} permitted: false>
params.except(:d) # => #<ActionController::Parameters {"a"=>1, "b"=>2, "c"=>3} permitted: false>
869 870 871 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 869 def except(*keys) new_instance_with_inherited_permitted_status(@parameters.except(*keys)) end |
#expect(*filters) ⇒ Object
‘expect` is the preferred way to require and permit parameters. It is safer than the previous recommendation to call `permit` and `require` in sequence, which could allow user triggered 500 errors.
‘expect` is more strict with types to avoid a number of potential pitfalls that may be encountered with the `.require.permit` pattern.
For example:
params = ActionController::Parameters.new(comment: { text: "hello" })
params.expect(comment: [:text])
# => #<ActionController::Parameters { text: "hello" } permitted: true>
params = ActionController::Parameters.new(comment: [{ text: "hello" }, { text: "world" }])
params.expect(comment: [:text])
# => ActionController::ParameterMissing: param is missing or the value is empty or invalid: comment
In order to permit an array of parameters, the array must be defined explicitly. Use double array brackets, an array inside an array, to declare that an array of parameters is expected.
params = ActionController::Parameters.new(comments: [{ text: "hello" }, { text: "world" }])
params.expect(comments: [[:text]])
# => [#<ActionController::Parameters { "text" => "hello" } permitted: true>,
# #<ActionController::Parameters { "text" => "world" } permitted: true>]
params = ActionController::Parameters.new(comments: { text: "hello" })
params.expect(comments: [[:text]])
# => ActionController::ParameterMissing: param is missing or the value is empty or invalid: comments
‘expect` is intended to protect against array tampering.
params = ActionController::Parameters.new(user: "hack")
# The previous way of requiring and permitting parameters will error
params.require(:user).permit(:name, pets: [:name]) # wrong
# => NoMethodError: undefined method `permit' for an instance of String
# similarly with nested parameters
params = ActionController::Parameters.new(user: { name: "Martin", pets: { name: "hack" } })
user_params = params.require(:user).permit(:name, pets: [:name]) # wrong
# user_params[:pets] is expected to be an array but is a hash
‘expect` solves this by being more strict with types.
params = ActionController::Parameters.new(user: "hack")
params.expect(user: [ :name, pets: [[:name]] ])
# => ActionController::ParameterMissing: param is missing or the value is empty or invalid: user
# with nested parameters
params = ActionController::Parameters.new(user: { name: "Martin", pets: { name: "hack" } })
user_params = params.expect(user: [:name, pets: [[:name]] ])
user_params[:pets] # => nil
As the examples show, ‘expect` requires the `:user` key, and any root keys similar to the `.require.permit` pattern. If multiple root keys are expected, they will all be required.
params = ActionController::Parameters.new(name: "Martin", pies: [{ type: "dessert", flavor: "pumpkin"}])
name, pies = params.expect(:name, pies: [[:type, :flavor]])
name # => "Martin"
pies # => [#<ActionController::Parameters {"type"=>"dessert", "flavor"=>"pumpkin"} permitted: true>]
When called with a hash with multiple keys, ‘expect` will permit the parameters and require the keys in the order they are given in the hash, returning an array of the permitted parameters.
params = ActionController::Parameters.new(subject: { name: "Martin" }, object: { pie: "pumpkin" })
subject, object = params.expect(subject: [:name], object: [:pie])
subject # => #<ActionController::Parameters {"name"=>"Martin"} permitted: true>
object # => #<ActionController::Parameters {"pie"=>"pumpkin"} permitted: true>
Besides being more strict about array vs hash params, ‘expect` uses permit internally, so it will behave similarly.
params = ActionController::Parameters.new({
person: {
name: "Francesco",
age: 22,
pets: [{
name: "Purplish",
category: "dogs"
}]
}
})
permitted = params.expect(person: [ :name, { pets: [[:name]] } ])
permitted.permitted? # => true
permitted[:name] # => "Francesco"
permitted[:age] # => nil
permitted[:pets][0][:name] # => "Purplish"
permitted[:pets][0][:category] # => nil
An array of permitted scalars may be expected with the following:
params = ActionController::Parameters.new(tags: ["rails", "parameters"])
permitted = params.expect(tags: [])
permitted.permitted? # => true
permitted.is_a?(Array) # => true
permitted.size # => 2
772 773 774 775 776 777 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 772 def expect(*filters) params = permit_filters(filters) keys = filters.flatten.flat_map { |f| f.is_a?(Hash) ? f.keys : f } values = params.require(keys) values.size == 1 ? values.first : values end |
#expect!(*filters) ⇒ Object
Same as ‘expect`, but raises an `ActionController::ExpectedParameterMissing` instead of `ActionController::ParameterMissing`. Unlike `expect` which will render a 400 response, `expect!` will raise an exception that is not handled. This is intended for debugging invalid params for an internal API where incorrectly formatted params would indicate a bug in a client library that should be fixed.
786 787 788 789 790 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 786 def expect!(*filters) expect(*filters) rescue ParameterMissing => e raise ExpectedParameterMissing.new(e.param, e.keys) end |
#extract!(*keys) ⇒ Object
Removes and returns the key/value pairs matching the given keys.
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.extract!(:a, :b) # => #<ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
params # => #<ActionController::Parameters {"c"=>3} permitted: false>
879 880 881 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 879 def extract!(*keys) new_instance_with_inherited_permitted_status(@parameters.extract!(*keys)) end |
#extract_value(key, delimiter: "_") ⇒ Object
Returns parameter value for the given ‘key` separated by `delimiter`.
params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
params.extract_value(:id) # => ["1", "123"]
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]
params.extract_value(:non_existent_key) # => nil
Note that if the given ‘key`’s value contains blank elements, then the returned array will include empty strings.
params = ActionController::Parameters.new(tags: "ruby,rails,,web")
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails", "", "web"]
1110 1111 1112 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1110 def extract_value(key, delimiter: "_") @parameters[key]&.split(delimiter, -1) end |
#fetch(key, *args) ⇒ Object
Returns a parameter for the given ‘key`. If the `key` can’t be found, there are several options: With no other arguments, it will raise an ActionController::ParameterMissing error; if a second argument is given, then that is returned (converted to an instance of ‘ActionController::Parameters` if possible); if a block is given, then that will be run and its result returned.
params = ActionController::Parameters.new(person: { name: "Francesco" })
params.fetch(:person) # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
params.fetch(:none) # => ActionController::ParameterMissing: param is missing or the value is empty or invalid: none
params.fetch(:none, {}) # => #<ActionController::Parameters {} permitted: false>
params.fetch(:none, "Francesco") # => "Francesco"
params.fetch(:none) { "Francesco" } # => "Francesco"
820 821 822 823 824 825 826 827 828 829 830 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 820 def fetch(key, *args) convert_value_to_parameters( @parameters.fetch(key) { if block_given? yield else args.fetch(0) { raise ActionController::ParameterMissing.new(key, @parameters.keys) } end } ) end |
#has_value?(value) ⇒ Boolean Also known as: value?
Returns true if the given value is present for some key in the parameters.
997 998 999 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 997 def has_value?(value) each_value.include?(convert_value_to_parameters(value)) end |
#hash ⇒ Object
315 316 317 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 315 def hash [self.class, @parameters, @permitted].hash end |
#init_with(coder) ⇒ Object
:nodoc:
1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1068 def init_with(coder) # :nodoc: case coder.tag when "!ruby/hash:ActionController::Parameters" # YAML 2.0.8's format where hash instance variables weren't stored. @parameters = coder.map.with_indifferent_access @permitted = false when "!ruby/hash-with-ivars:ActionController::Parameters" # YAML 2.0.9's Hash subclass format where keys and values were stored under an # elements hash and `permitted` within an ivars hash. @parameters = coder.map["elements"].with_indifferent_access @permitted = coder.map["ivars"][:@permitted] when "!ruby/object:ActionController::Parameters" # YAML's Object format. Only needed because of the format backwards # compatibility above, otherwise equivalent to YAML's initialization. @parameters, @permitted = coder.map["parameters"], coder.map["permitted"] end end |
#inspect ⇒ Object
1055 1056 1057 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1055 def inspect "#<#{self.class} #{@parameters} permitted: #{@permitted}>" end |
#keys ⇒ Object
:method: to_s
:call-seq:
to_s()
Returns the content of the parameters as a string.
250 251 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 250 delegate :keys, :empty?, :exclude?, :include?, :as_json, :to_s, :each_key, to: :@parameters |
#merge(other_hash) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with all keys from `other_hash` merged into current hash.
1011 1012 1013 1014 1015 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1011 def merge(other_hash) new_instance_with_inherited_permitted_status( @parameters.merge(other_hash.to_h) ) end |
#merge!(other_hash, &block) ⇒ Object
:call-seq: merge!(other_hash)
Returns the current ‘ActionController::Parameters` instance with `other_hash` merged into current hash.
1022 1023 1024 1025 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1022 def merge!(other_hash, &block) @parameters.merge!(other_hash.to_h, &block) self end |
#permit(*filters) ⇒ Object
Returns a new ‘ActionController::Parameters` instance that includes only the given `filters` and sets the `permitted` attribute for the object to `true`. This is useful for limiting which attributes should be allowed for mass updating.
params = ActionController::Parameters.new(name: "Francesco", age: 22, role: "admin")
permitted = params.permit(:name, :age)
permitted.permitted? # => true
permitted.has_key?(:name) # => true
permitted.has_key?(:age) # => true
permitted.has_key?(:role) # => false
Only permitted scalars pass the filter. For example, given
params.permit(:name)
‘:name` passes if it is a key of `params` whose associated value is of type `String`, `Symbol`, `NilClass`, `Numeric`, `TrueClass`, `FalseClass`, `Date`, `Time`, `DateTime`, `StringIO`, `IO`, ActionDispatch::Http::UploadedFile or `Rack::Test::UploadedFile`. Otherwise, the key `:name` is filtered out.
You may declare that the parameter should be an array of permitted scalars by mapping it to an empty array:
params = ActionController::Parameters.new(tags: ["rails", "parameters"])
params.permit(tags: [])
Sometimes it is not possible or convenient to declare the valid keys of a hash parameter or its internal structure. Just map to an empty hash:
params.permit(preferences: {})
Be careful because this opens the door to arbitrary input. In this case, ‘permit` ensures values in the returned structure are permitted scalars and filters out anything else.
You can also use ‘permit` on nested parameters:
params = ActionController::Parameters.new({
person: {
name: "Francesco",
age: 22,
pets: [{
name: "Purplish",
category: "dogs"
}]
}
})
permitted = params.permit(person: [ :name, { pets: :name } ])
permitted.permitted? # => true
permitted[:person][:name] # => "Francesco"
permitted[:person][:age] # => nil
permitted[:person][:pets][0][:name] # => "Purplish"
permitted[:person][:pets][0][:category] # => nil
This has the added benefit of rejecting user-modified inputs that send a string when a hash is expected.
When followed by ‘require`, you can both filter and require parameters following the typical pattern of a Rails form. The `expect` method was made specifically for this use case and is the recommended way to require and permit parameters.
permitted = params.expect(person: [:name, :age])
When using ‘permit` and `require` separately, pay careful attention to the order of the method calls.
params = ActionController::Parameters.new(person: { name: "Martin", age: 40, role: "admin" })
permitted = params.permit(person: [:name, :age]).require(:person) # correct
When require is used first, it is possible for users of your application to trigger a NoMethodError when the user, for example, sends a string for :person.
params = ActionController::Parameters.new(person: "tampered")
permitted = params.require(:person).permit(:name, :age) # not recommended
# => NoMethodError: undefined method `permit' for an instance of String
Note that if you use ‘permit` in a key that points to a hash, it won’t allow all the hash. You also need to specify which attributes inside the hash should be permitted.
params = ActionController::Parameters.new({
person: {
contact: {
email: "none@test.com",
phone: "555-1234"
}
}
})
params.permit(person: :contact).require(:person)
# => #<ActionController::Parameters {} permitted: true>
params.permit(person: { contact: :phone }).require(:person)
# => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"phone"=>"555-1234"} permitted: true>} permitted: true>
params.permit(person: { contact: [ :email, :phone ] }).require(:person)
# => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"email"=>"none@test.com", "phone"=>"555-1234"} permitted: true>} permitted: true>
If your parameters specify multiple parameters indexed by a number, you can permit each set of parameters under the numeric key to be the same using the same syntax as permitting a single item.
params = ActionController::Parameters.new({
person: {
'0': {
email: "none@test.com",
phone: "555-1234"
},
'1': {
email: "nothing@test.com",
phone: "555-6789"
},
}
})
params.permit(person: [:email]).to_h
# => {"person"=>{"0"=>{"email"=>"none@test.com"}, "1"=>{"email"=>"nothing@test.com"}}}
If you want to specify what keys you want from each numeric key, you can instead specify each one individually
params = ActionController::Parameters.new({
person: {
'0': {
email: "none@test.com",
phone: "555-1234"
},
'1': {
email: "nothing@test.com",
phone: "555-6789"
},
}
})
params.permit(person: { '0': [:email], '1': [:phone]}).to_h
# => {"person"=>{"0"=>{"email"=>"none@test.com"}, "1"=>{"phone"=>"555-6789"}}}
668 669 670 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 668 def permit(*filters) permit_filters(filters, on_unpermitted: self.class.action_on_unpermitted_parameters, explicit_arrays: false) end |
#permit! ⇒ Object
Sets the ‘permitted` attribute to `true`. This can be used to pass mass assignment. Returns `self`.
class Person < ActiveRecord::Base
end
params = ActionController::Parameters.new(name: "Francesco")
params.permitted? # => false
Person.new(params) # => ActiveModel::ForbiddenAttributesError
params.permit!
params.permitted? # => true
Person.new(params) # => #<Person id: nil, name: "Francesco">
461 462 463 464 465 466 467 468 469 470 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 461 def permit! each_pair do |key, value| Array.wrap(value).flatten.each do |v| v.permit! if v.respond_to? :permit! end end @permitted = true self end |
#permitted? ⇒ Boolean
Returns ‘true` if the parameter is permitted, `false` otherwise.
params = ActionController::Parameters.new
params.permitted? # => false
params.permit!
params.permitted? # => true
445 446 447 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 445 def permitted? @permitted end |
#reject(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with items that the block evaluates to true removed.
961 962 963 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 961 def reject(&block) new_instance_with_inherited_permitted_status(@parameters.reject(&block)) end |
#reject!(&block) ⇒ Object Also known as: delete_if
Removes items that the block evaluates to true and returns self.
966 967 968 969 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 966 def reject!(&block) @parameters.reject!(&block) self end |
#require(key) ⇒ Object Also known as: required
This method accepts both a single key and an array of keys.
When passed a single key, if it exists and its associated value is either present or the singleton ‘false`, returns said value:
ActionController::Parameters.new(person: { name: "Francesco" }).require(:person)
# => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
Otherwise raises ActionController::ParameterMissing:
ActionController::Parameters.new.require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty or invalid: person
ActionController::Parameters.new(person: nil).require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty or invalid: person
ActionController::Parameters.new(person: "\t").require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty or invalid: person
ActionController::Parameters.new(person: {}).require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty or invalid: person
When given an array of keys, the method tries to require each one of them in order. If it succeeds, an array with the respective return values is returned:
params = ActionController::Parameters.new(user: { ... }, profile: { ... })
user_params, profile_params = params.require([:user, :profile])
Otherwise, the method re-raises the first exception found:
params = ActionController::Parameters.new(user: {}, profile: {})
user_params, profile_params = params.require([:user, :profile])
# ActionController::ParameterMissing: param is missing or the value is empty or invalid: user
This method is not recommended for fetching terminal values because it does not permit the values. For example, this can cause problems:
# CAREFUL
params = ActionController::Parameters.new(person: { name: "Finn" })
name = params.require(:person).require(:name) # CAREFUL
It is recommended to use ‘expect` instead:
def person_params
# params.expect(person: :name).require(:name)
end
519 520 521 522 523 524 525 526 527 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 519 def require(key) return key.map { |k| require(k) } if key.is_a?(Array) value = self[key] if value.present? || value == false value else raise ParameterMissing.new(key, @parameters.keys) end end |
#reverse_merge(other_hash) ⇒ Object Also known as: with_defaults
Returns a new ‘ActionController::Parameters` instance with all keys from current hash merged into `other_hash`.
1033 1034 1035 1036 1037 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1033 def reverse_merge(other_hash) new_instance_with_inherited_permitted_status( other_hash.to_h.merge(@parameters) ) end |
#reverse_merge!(other_hash) ⇒ Object Also known as: with_defaults!
Returns the current ‘ActionController::Parameters` instance with current hash merged into `other_hash`.
1042 1043 1044 1045 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1042 def reverse_merge!(other_hash) @parameters.merge!(other_hash.to_h) { |key, left, right| left } self end |
#select(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with only items that the block evaluates to true.
948 949 950 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 948 def select(&block) new_instance_with_inherited_permitted_status(@parameters.select(&block)) end |
#select!(&block) ⇒ Object Also known as: keep_if
Equivalent to Hash#keep_if, but returns ‘nil` if no changes were made.
953 954 955 956 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 953 def select!(&block) @parameters.select!(&block) self end |
#slice(*keys) ⇒ Object
Returns a new ‘ActionController::Parameters` instance that includes only the given `keys`. If the given `keys` don’t exist, returns an empty hash.
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.slice(:a, :b) # => #<ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
params.slice(:d) # => #<ActionController::Parameters {} permitted: false>
852 853 854 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 852 def slice(*keys) new_instance_with_inherited_permitted_status(@parameters.slice(*keys)) end |
#slice!(*keys) ⇒ Object
Returns the current ‘ActionController::Parameters` instance which contains only the given `keys`.
858 859 860 861 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 858 def slice!(*keys) @parameters.slice!(*keys) self end |
#stringify_keys ⇒ Object
This is required by ActiveModel attribute assignment, so that user can pass ‘Parameters` to a mass assignment methods in a model. It should not matter as we are using `HashWithIndifferentAccess` internally.
1051 1052 1053 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1051 def stringify_keys # :nodoc: dup end |
#to_h(&block) ⇒ Object
Returns a safe ActiveSupport::HashWithIndifferentAccess representation of the parameters with all unpermitted keys removed.
params = ActionController::Parameters.new({
name: "Senjougahara Hitagi",
oddity: "Heavy stone crab"
})
params.to_h
# => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
331 332 333 334 335 336 337 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 331 def to_h(&block) if permitted? convert_parameters_to_hashes(@parameters, :to_h, &block) else raise UnfilteredParameters end end |
#to_hash ⇒ Object
Returns a safe ‘Hash` representation of the parameters with all unpermitted keys removed.
params = ActionController::Parameters.new({
name: "Senjougahara Hitagi",
oddity: "Heavy stone crab"
})
params.to_hash
# => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash
safe_params = params.permit(:name)
safe_params.to_hash # => {"name"=>"Senjougahara Hitagi"}
351 352 353 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 351 def to_hash to_h.to_hash end |
#to_query(*args) ⇒ Object Also known as: to_param
Returns a string representation of the receiver suitable for use as a URL query string:
params = ActionController::Parameters.new({
name: "David",
nationality: "Danish"
})
params.to_query
# => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash
safe_params = params.permit(:name, :nationality)
safe_params.to_query
# => "name=David&nationality=Danish"
An optional namespace can be passed to enclose key names:
params = ActionController::Parameters.new({
name: "David",
nationality: "Danish"
})
safe_params = params.permit(:name, :nationality)
safe_params.to_query("user")
# => "user%5Bname%5D=David&user%5Bnationality%5D=Danish"
The string pairs ‘“key=value”` that conform the query string are sorted lexicographically in ascending order.
381 382 383 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 381 def to_query(*args) to_h.to_query(*args) end |
#to_unsafe_h ⇒ Object Also known as: to_unsafe_hash
Returns an unsafe, unfiltered ActiveSupport::HashWithIndifferentAccess representation of the parameters.
params = ActionController::Parameters.new({
name: "Senjougahara Hitagi",
oddity: "Heavy stone crab"
})
params.to_unsafe_h
# => {"name"=>"Senjougahara Hitagi", "oddity" => "Heavy stone crab"}
395 396 397 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 395 def to_unsafe_h convert_parameters_to_hashes(@parameters, :to_unsafe_h) end |
#transform_keys(&block) ⇒ Object
Returns a new ‘ActionController::Parameters` instance with the results of running `block` once for every key. The values are unchanged.
906 907 908 909 910 911 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 906 def transform_keys(&block) return to_enum(:transform_keys) unless block_given? new_instance_with_inherited_permitted_status( @parameters.transform_keys(&block) ) end |
#transform_keys!(&block) ⇒ Object
Performs keys transformation and returns the altered ‘ActionController::Parameters` instance.
915 916 917 918 919 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 915 def transform_keys!(&block) return to_enum(:transform_keys!) unless block_given? @parameters.transform_keys!(&block) self end |
#transform_values ⇒ Object
Returns a new ‘ActionController::Parameters` instance with the results of running `block` once for every value. The keys are unchanged.
params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.transform_values { |x| x * 2 }
# => #<ActionController::Parameters {"a"=>2, "b"=>4, "c"=>6} permitted: false>
889 890 891 892 893 894 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 889 def transform_values return to_enum(:transform_values) unless block_given? new_instance_with_inherited_permitted_status( @parameters.transform_values { |v| yield convert_value_to_parameters(v) } ) end |
#transform_values! ⇒ Object
Performs values transformation and returns the altered ‘ActionController::Parameters` instance.
898 899 900 901 902 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 898 def transform_values! return to_enum(:transform_values!) unless block_given? @parameters.transform_values! { |v| yield convert_value_to_parameters(v) } self end |
#values ⇒ Object
Returns a new array of the values of the parameters.
424 425 426 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 424 def values to_enum(:each_value).to_a end |
#values_at(*keys) ⇒ Object
Returns values that were assigned to the given ‘keys`. Note that all the `Hash` objects will be converted to `ActionController::Parameters`.
1005 1006 1007 |
# File 'lib/action_controller/metal/strong_parameters.rb', line 1005 def values_at(*keys) convert_value_to_parameters(@parameters.values_at(*keys)) end |