Disable strong parameters for a specific action

Question

I have a serious problem with strong parameters. Its working pretty well in my about 200 actions but in one it doesn't because I'm working very dynamic with the parameters there and I also cant change it because of the applications design.

So I want to disable strong parameters validation in just this specific action. Is there a way to do this?

Because I dont know how the params will be named. My action is based on metaprogramming... — davidb, Jun 01 '15 at 08:31

score 18 · Answer 1 · answered Dec 15 '16 at 12:16

Strong parameters overrides the params method in ActionController::Base. You can simply override it and set it back to what you want yourself.

So this:

class MyController < ApplicationController
  def params
    request.parameters
  end
end

Will effectively disable strong parameters for all actions in your controller. You only wanted to disable it for a particular action though so you could do that with:

class MyController < ApplicationController
  before_action :use_unsafe_params, only: [:particular_action]

  def params
    @_dangerous_params || super
  end

  def particular_action
    # My params is unsafe
  end

  def normal_action
    # my params is safe
  end

  private

  def use_unsafe_params
    @_dangerous_params = request.parameters
  end
end

score 3 · Answer 2 · answered May 28 '15 at 14:59

3

You can use .permit! to whitelist any keys in a hash.

params.require(:something).permit!

However this should be treated as an extreme code smell and a security risk.

Nested hashes can be whitelisted with this trick:

params.require(:product).permit(:name, data: params[:product][:data].try(:keys))

answered May 28 '15 at 14:59

max

76,662
13
84
137

This wont work for me because the name of the params isn't defined staticly they are defined by the displayed object. I know this sounds like a big security hole but I implemented security mechanisms in the method logic. I really need to turn strong parameters off in one action – davidb Jun 01 '15 at 11:02
The only way I can think of using `config.action_controller.permit_all_parameters` but that is done on a per-app basis. Not per action. – max Jun 01 '15 at 11:30
Yes for the develoment mode I disabled strong parameters but of cause I can't do this in production mode – davidb Jun 01 '15 at 11:32
You could create some kind of function that recursively walks the params hash and whitelists it. But I can't really give you an example since I have no idea what your controller looks like. – max Jun 01 '15 at 11:37
I think its easier to modify the strong parameters gem in a way that allows disabeling the gem action specific – davidb Jun 01 '15 at 11:38
Yeah but hacking core is almost always a bad idea. – max Jun 01 '15 at 11:39
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/79314/discussion-between-maxcal-and-davidb). – max Jun 01 '15 at 11:40

score 2 · Answer 3 · answered Jul 25 '19 at 09:03

2

Not too sure if this is best practice but for Rails 5 I just use request.params instead of params anytime I want to skip strong params.

So instead of something like:

post = Post.new(params[:post])

I use:

post = Post.new(request.params[:post])

answered Jul 25 '19 at 09:03

Sajad Torkamani

386
4
14

Disable strong parameters for a specific action

3 Answers3