RubyFlow The Ruby and Rails community linklog

Active Params

by Juanito Fatas

Stop manually defining strong_parameters in each and every controller.

Whatever parameters that was used during development mode is considered permitted parameters for production. So automatically record them in development mode and simply apply strong_parameters in production.

https://github.com/choonkeat/active_params

Comments

This seems like a really bad idea. The whole point of strong_parameters is explicitly define which parameters you deem safe for your application to process.

Now you’ve tied that behavior to the development process, which seems… weird. You now have to develop a certain way or put your application’s security at risk.

Ben Polinsky

Agree with Ben here. What would be the benefit of defining strong params outside of code? What’s a good use case for this? Genuinely curious here.

Fred

I thought this was actually providing macros in the controller, which would be ok, but defining them all in a separate file seems to be an extra unneeded context switching.

Evan Sagge

For an alternate take on securing parameters see https://github.com/zendesk/stronger_parameters

Eliot Sykes

Is this really that big of a problem to begin with? Not in my experience, at least…

JMCQ87

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in