RubyFlow The Ruby and Rails community linklog

Active Params

Stop manually defining strong_parameters in each and every controller.

Whatever parameters that was used during development mode is considered permitted parameters for production. So automatically record them in development mode and simply apply strong_parameters in production.

https://github.com/choonkeat/active_params

Comments

This seems like a really bad idea. The whole point of strong_parameters is explicitly define which parameters you deem safe for your application to process.

Now you’ve tied that behavior to the development process, which seems… weird. You now have to develop a certain way or put your application’s security at risk.

Agree with Ben here. What would be the benefit of defining strong params outside of code? What’s a good use case for this? Genuinely curious here.

I thought this was actually providing macros in the controller, which would be ok, but defining them all in a separate file seems to be an extra unneeded context switching.

For an alternate take on securing parameters see https://github.com/zendesk/stronger_parameters

Is this really that big of a problem to begin with? Not in my experience, at least…

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in