Devise and Strong Parameters

ruby-on-rails ruby ruby-on-rails-3 devise strong-parameters

20,128

Solution 1

Update for devise 4.x

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
    devise_parameter_sanitizer.permit(:sign_in, keys: [:username])
    devise_parameter_sanitizer.permit(:account_update, keys: [:username])
  end
end

After adding both gems, devise will work as normal.

Update: With the latest version of Devise 3.x, as described at devise#strong-parameters, the authentication key (normally the email field), and the password fields are already permitted. However, if there are any additional fields on the signup form, you will need to let Devise know the extra fields to permit. The easiest way to do this is with a filter:

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end
end

For Devise 2.x, if you use the safety feature requiring explicitly whitelisting tainted parameters in the user model:

include ActiveModel::ForbiddenAttributesProtection

the changes needed are found at https://gist.github.com/3350730 which overrides some of the controllers.

Solution 2

The easy way is to add a simple before filter in your ApplicationController. If you have different roles and/or other more complex scenario there are other options on the link below:

https://github.com/plataformatec/devise#strong-parameters

Solution 3

before_filter :configure_sanitized_params, if: :devise_controller?

def configure_sanitized_params
  devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:firstname, :designation_id, :middlename, :previous_experiance_year, :previous_experiance_month, :lastname, :email, :username, :password, :password_confirmation, :previous_experiance, :empid, :dob, :timezone, :doj, :gender, :education, :comments, :locked, :deactivated, :reason, :phone, :deactivated_date, :image) }
  devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:remove_image, :firstname, :designation_id, :middlename, :lastname, :email, :username, :empid, :dob, :timezone, :doj, :gender, :education, :comments, :locked, :deactivated, :reason, :phone, :deactivated_date, :image) }
end

20,128

Author by

Rodrigo Zurek

Ruby on Rails developer and entrepreneur, also growing familiar with: Postgres, APEX, Angular, Javascript, HTML, CSS, Salesforce, Many API's and all web related !

Updated on May 04, 2020

Comments

Rodrigo Zurek about 4 years

I would like to know how to integrate both of this gems(devise + Strong Parameters), since strong params will likely be added to the rails core in 4.0

any help is welcome thanks
David Alozie over 10 years

Next answer is better, from my view, since it relay on Devise public API
ronalchn over 10 years

That would be because my answer was from over a year ago. I've updated the answer based on the new developments.
Rodrigo Zurek over 10 years

this question is a perfect example of how small is the world, you answered my question with my own gist =D
Rodrigo Zurek over 8 years

yeah, this is the new way to do it. the question was asked back in the day when devise hadn't implemented strong parameters on their code.
Doug almost 7 years

This answer no longer works. You need to use devise_parameter_sanitizer.permit(:sign_up, keys: [:username])