param_protected icon indicating copy to clipboard operation
param_protected copied to clipboard

Published 20 hours ago verified publisher icon cjbottaro

'Reserved' params

Open jonleighton opened this issue 14 years ago • 2 comments

Hey,

Thanks for great and useful plugin. It might be useful to have a list of params which are by default always allowed through, such as: authenticity_token, _method, id, etc.

Or at least maybe point out in the docs that one might need to put "param_accessible [:_method, :authenticity_token, :id]" in the ApplicationController.

Cheers

jonleighton avatar Jul 20 '10 12:07 jonleighton

+1

I think that some params should be in whitelist by default:

param_accessible [:utf8, :commit, :action, :controller, :id]

# or maybe even
param_accessible [:utf8, :commit, :action, :controller, :id, :authenticity_token, :page]

:authenticity_token is from devise :page is used by kaminari/will_paginate (both are common used gems)

zlw avatar Jan 14 '12 15:01 zlw

My thanks also for this tool!

For my part, having a configurable list would be good:

  • [:utf8, :commit, :action, :controller, :id] might be a nice default
  • It means devs don't have to try and evaluate the risk-level of known-innocuous parameters
  • But if for whatever reason they want to expand or compress the list, they can
  • If the list grows or shrinks (e.g. #controller_name is considered better than direct params[:controller]) the gem can be adjusted to match

I don't think auth or pagination library params should be in the default list, though. Let the devs make that call.

dznz avatar Mar 07 '12 22:03 dznz