class ActionController::Parameters

Action Controller Parameters

Allows you to choose which attributes should be permitted for mass updating and thus prevent accidentally exposing that which shouldn’t be exposed. Provides two methods for this purpose: require and permit. The former is used to mark parameters as required. The latter is used to set the parameter as permitted and limit which attributes should be allowed for mass updating.

params = ActionController::Parameters.new({
  person: {
    name: "Francesco",
    age:  22,
    role: "admin"
  }
})

permitted = params.require(:person).permit(:name, :age)
permitted            # => #<ActionController::Parameters {"name"=>"Francesco", "age"=>22} permitted: true>
permitted.permitted? # => true

Person.first.update!(permitted)
# => #<Person id: 1, name: "Francesco", age: 22, role: "user">

It provides two options that controls the top-level behavior of new instances:

Examples:

params = ActionController::Parameters.new
params.permitted? # => false

ActionController::Parameters.permit_all_parameters = true

params = ActionController::Parameters.new
params.permitted? # => true

params = ActionController::Parameters.new(a: "123", b: "456")
params.permit(:c)
# => #<ActionController::Parameters {} permitted: true>

ActionController::Parameters.action_on_unpermitted_parameters = :raise

params = ActionController::Parameters.new(a: "123", b: "456")
params.permit(:c)
# => ActionController::UnpermittedParameters: found unpermitted keys: a, b

Please note that these options *are not thread-safe*. In a multi-threaded environment they should only be set once at boot-time and never mutated at runtime.

You can fetch values of ActionController::Parameters using either :key or "key".

params = ActionController::Parameters.new(key: "value")
params[:key]  # => "value"
params["key"] # => "value"

Constants

PERMITTED_SCALAR_TYPES

This is a list of permitted scalar types that includes the ones supported in XML and JSON requests.

This list is in particular used to filter ordinary requests, String goes as first element to quickly short-circuit the common case.

If you modify this collection please update the one in the permit doc as well.

Attributes

parameters[R]
permitted[W]

Public Class Methods

new(parameters = {}, logging_context = {}) click to toggle source

Returns a new ActionController::Parameters instance. Also, sets the permitted attribute to the default value of ActionController::Parameters.permit_all_parameters.

class Person < ActiveRecord::Base
end

params = ActionController::Parameters.new(name: "Francesco")
params.permitted?  # => false
Person.new(params) # => ActiveModel::ForbiddenAttributesError

ActionController::Parameters.permit_all_parameters = true

params = ActionController::Parameters.new(name: "Francesco")
params.permitted?  # => true
Person.new(params) # => #<Person id: nil, name: "Francesco">
# File lib/action_controller/metal/strong_parameters.rb, line 247
def initialize(parameters = {}, logging_context = {})
  @parameters = parameters.with_indifferent_access
  @logging_context = logging_context
  @permitted = self.class.permit_all_parameters
end

Public Instance Methods

==(other) click to toggle source

Returns true if another Parameters object contains the same content and permitted flag.

# File lib/action_controller/metal/strong_parameters.rb, line 255
def ==(other)
  if other.respond_to?(:permitted?)
    permitted? == other.permitted? && parameters == other.parameters
  else
    @parameters == other
  end
end
[](key) click to toggle source

Returns a parameter for the given key. If not found, returns nil.

params = ActionController::Parameters.new(person: { name: "Francesco" })
params[:person] # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
params[:none]   # => nil
# File lib/action_controller/metal/strong_parameters.rb, line 619
def [](key)
  convert_hashes_to_parameters(key, @parameters[key])
end
[]=(key, value) click to toggle source

Assigns a value to a given key. The given key may still get filtered out when permit is called.

# File lib/action_controller/metal/strong_parameters.rb, line 625
def []=(key, value)
  @parameters[key] = value
end
as_json(options=nil) click to toggle source

Returns a hash that can be used as the JSON representation for the parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 138
    
compact() click to toggle source

Returns a new ActionController::Parameters instance with nil values removed.

# File lib/action_controller/metal/strong_parameters.rb, line 795
def compact
  new_instance_with_inherited_permitted_status(@parameters.compact)
end
compact!() click to toggle source

Removes all nil values in place and returns self, or nil if no changes were made.

# File lib/action_controller/metal/strong_parameters.rb, line 800
def compact!
  self if @parameters.compact!
end
compact_blank() click to toggle source

Returns a new ActionController::Parameters instance without the blank values. Uses Object#blank? for determining if a value is blank.

# File lib/action_controller/metal/strong_parameters.rb, line 806
def compact_blank
  reject { |_k, v| v.blank? }
end
compact_blank!() click to toggle source

Removes all blank values in place and returns self. Uses Object#blank? for determining if a value is blank.

# File lib/action_controller/metal/strong_parameters.rb, line 812
def compact_blank!
  reject! { |_k, v| v.blank? }
end
converted_arrays() click to toggle source

Attribute that keeps track of converted arrays, if any, to avoid double looping in the common use case permit + mass-assignment. Defined in a method to instantiate it only if needed.

Testing membership still loops, but it’s going to be faster than our own loop that converts values. Also, we are not going to build a new array object per fetch.

# File lib/action_controller/metal/strong_parameters.rb, line 384
def converted_arrays
  @converted_arrays ||= Set.new
end
deep_dup() click to toggle source

Returns a duplicate ActionController::Parameters instance with the same permitted parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 897
def deep_dup
  self.class.new(@parameters.deep_dup, @logging_context).tap do |duplicate|
    duplicate.permitted = @permitted
  end
end
deep_transform_keys(&block) click to toggle source

Returns a new ActionController::Parameters instance with the results of running block once for every key. This includes the keys from the root hash and from all nested hashes and arrays. The values are unchanged.

# File lib/action_controller/metal/strong_parameters.rb, line 746
def deep_transform_keys(&block)
  new_instance_with_inherited_permitted_status(
    @parameters.deep_transform_keys(&block)
  )
end
deep_transform_keys!(&block) click to toggle source

Returns the same ActionController::Parameters instance with changed keys. This includes the keys from the root hash and from all nested hashes and arrays. The values are unchanged.

# File lib/action_controller/metal/strong_parameters.rb, line 755
def deep_transform_keys!(&block)
  @parameters.deep_transform_keys!(&block)
  self
end
delete(key, &block) click to toggle source

Deletes a key-value pair from Parameters and returns the value. If key is not found, returns nil (or, with optional code block, yields key and returns the result). This method is similar to extract!, which returns the corresponding ActionController::Parameters object.

# File lib/action_controller/metal/strong_parameters.rb, line 764
def delete(key, &block)
  convert_value_to_parameters(@parameters.delete(key, &block))
end
delete_if(&block)
Alias for: reject!
dig(*keys) click to toggle source

Extracts the nested parameter from the given keys by calling dig at each step. Returns nil if any intermediate step is nil.

params = ActionController::Parameters.new(foo: { bar: { baz: 1 } })
params.dig(:foo, :bar, :baz) # => 1
params.dig(:foo, :zot, :xyz) # => nil

params2 = ActionController::Parameters.new(foo: [10, 11, 12])
params2.dig(:foo, 1) # => 11
# File lib/action_controller/metal/strong_parameters.rb, line 663
def dig(*keys)
  convert_hashes_to_parameters(keys.first, @parameters[keys.first])
  @parameters.dig(*keys)
end
each(&block)
Alias for: each_pair
each_key(&block) click to toggle source

Calls block once for each key in the parameters, passing the key. If no block is given, an enumerator is returned instead.

# File lib/action_controller/metal/strong_parameters.rb, line 146
    
each_pair() { |key, convert_hashes_to_parameters(key, value)| ... } click to toggle source

Convert all hashes in values into parameters, then yield each pair in the same way as Hash#each_pair.

# File lib/action_controller/metal/strong_parameters.rb, line 356
def each_pair(&block)
  return to_enum(__callee__) unless block_given?
  @parameters.each_pair do |key, value|
    yield [key, convert_hashes_to_parameters(key, value)]
  end

  self
end
Also aliased as: each
each_value() { |convert_hashes_to_parameters(key, value)| ... } click to toggle source

Convert all hashes in values into parameters, then yield each value in the same way as Hash#each_value.

# File lib/action_controller/metal/strong_parameters.rb, line 368
def each_value(&block)
  return to_enum(:each_value) unless block_given?
  @parameters.each_pair do |key, value|
    yield convert_hashes_to_parameters(key, value)
  end

  self
end
empty?() click to toggle source

Returns true if the parameters have no key/value pairs.

# File lib/action_controller/metal/strong_parameters.rb, line 155
    
eql?(other) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 263
def eql?(other)
  self.class == other.class &&
    permitted? == other.permitted? &&
    parameters.eql?(other.parameters)
end
except(*keys) click to toggle source

Returns a new ActionController::Parameters instance that filters out the given keys.

params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.except(:a, :b) # => #<ActionController::Parameters {"c"=>3} permitted: false>
params.except(:d)     # => #<ActionController::Parameters {"a"=>1, "b"=>2, "c"=>3} permitted: false>
# File lib/action_controller/metal/strong_parameters.rb, line 692
def except(*keys)
  new_instance_with_inherited_permitted_status(@parameters.except(*keys))
end
extract!(*keys) click to toggle source

Removes and returns the key/value pairs matching the given keys.

params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.extract!(:a, :b) # => #<ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
params                  # => #<ActionController::Parameters {"c"=>3} permitted: false>
# File lib/action_controller/metal/strong_parameters.rb, line 701
def extract!(*keys)
  new_instance_with_inherited_permitted_status(@parameters.extract!(*keys))
end
fetch(key, *args) { || ... } click to toggle source

Returns a parameter for the given key. If the key can’t be found, there are several options: With no other arguments, it will raise an ActionController::ParameterMissing error; if a second argument is given, then that is returned (converted to an instance of ActionController::Parameters if possible); if a block is given, then that will be run and its result returned.

params = ActionController::Parameters.new(person: { name: "Francesco" })
params.fetch(:person)               # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
params.fetch(:none)                 # => ActionController::ParameterMissing: param is missing or the value is empty: none
params.fetch(:none, {})             # => #<ActionController::Parameters {} permitted: false>
params.fetch(:none, "Francesco")    # => "Francesco"
params.fetch(:none) { "Francesco" } # => "Francesco"
# File lib/action_controller/metal/strong_parameters.rb, line 642
def fetch(key, *args)
  convert_value_to_parameters(
    @parameters.fetch(key) {
      if block_given?
        yield
      else
        args.fetch(0) { raise ActionController::ParameterMissing.new(key, @parameters.keys) }
      end
    }
  )
end
has_key?()
Alias for: include?
has_value?(value) click to toggle source

Returns true if the given value is present for some key in the parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 163
    
hash() click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 269
def hash
  [self.class, @parameters, @permitted].hash
end
include?(key) click to toggle source

Returns true if the given key is present in the parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 171
    
Also aliased as: has_key?, key?, member?
inspect() click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 861
def inspect
  "#<#{self.class} #{@parameters} permitted: #{@permitted}>"
end
keep_if(&block)
Alias for: select!
key?()
Alias for: include?
keys() click to toggle source

Returns a new array of the keys of the parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 179
    
member?()
Alias for: include?
merge(other_hash) click to toggle source

Returns a new ActionController::Parameters instance with all keys from other_hash merged into current hash.

# File lib/action_controller/metal/strong_parameters.rb, line 824
def merge(other_hash)
  new_instance_with_inherited_permitted_status(
    @parameters.merge(other_hash.to_h)
  )
end
merge!(other_hash) click to toggle source

Returns the current ActionController::Parameters instance with other_hash merged into current hash.

# File lib/action_controller/metal/strong_parameters.rb, line 832
def merge!(other_hash)
  @parameters.merge!(other_hash.to_h)
  self
end
permit(*filters) click to toggle source

Returns a new ActionController::Parameters instance that includes only the given filters and sets the permitted attribute for the object to true. This is useful for limiting which attributes should be allowed for mass updating.

params = ActionController::Parameters.new(user: { name: "Francesco", age: 22, role: "admin" })
permitted = params.require(:user).permit(:name, :age)
permitted.permitted?      # => true
permitted.has_key?(:name) # => true
permitted.has_key?(:age)  # => true
permitted.has_key?(:role) # => false

Only permitted scalars pass the filter. For example, given

params.permit(:name)

:name passes if it is a key of params whose associated value is of type String, Symbol, NilClass, Numeric, TrueClass, FalseClass, Date, Time, DateTime, StringIO, IO, ActionDispatch::Http::UploadedFile or Rack::Test::UploadedFile. Otherwise, the key :name is filtered out.

You may declare that the parameter should be an array of permitted scalars by mapping it to an empty array:

params = ActionController::Parameters.new(tags: ["rails", "parameters"])
params.permit(tags: [])

Sometimes it is not possible or convenient to declare the valid keys of a hash parameter or its internal structure. Just map to an empty hash:

params.permit(preferences: {})

Be careful because this opens the door to arbitrary input. In this case, permit ensures values in the returned structure are permitted scalars and filters out anything else.

You can also use permit on nested parameters, like:

params = ActionController::Parameters.new({
  person: {
    name: "Francesco",
    age:  22,
    pets: [{
      name: "Purplish",
      category: "dogs"
    }]
  }
})

permitted = params.permit(person: [ :name, { pets: :name } ])
permitted.permitted?                    # => true
permitted[:person][:name]               # => "Francesco"
permitted[:person][:age]                # => nil
permitted[:person][:pets][0][:name]     # => "Purplish"
permitted[:person][:pets][0][:category] # => nil

Note that if you use permit in a key that points to a hash, it won’t allow all the hash. You also need to specify which attributes inside the hash should be permitted.

params = ActionController::Parameters.new({
  person: {
    contact: {
      email: "none@test.com",
      phone: "555-1234"
    }
  }
})

params.require(:person).permit(:contact)
# => #<ActionController::Parameters {} permitted: true>

params.require(:person).permit(contact: :phone)
# => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"phone"=>"555-1234"} permitted: true>} permitted: true>

params.require(:person).permit(contact: [ :email, :phone ])
# => #<ActionController::Parameters {"contact"=>#<ActionController::Parameters {"email"=>"none@test.com", "phone"=>"555-1234"} permitted: true>} permitted: true>

If your parameters specify multiple parameters indexed by a number, you can permit each set of parameters under the numeric key to be the same using the same syntax as permitting a single item.

params = ActionController::Parameters.new({
  person: {
    '0': {
      email: "none@test.com",
      phone: "555-1234"
    },
    '1': {
      email: "nothing@test.com",
      phone: "555-6789"
    },
  }
})
params.permit(person: [:email]).to_h
# => {"person"=>{"0"=>{"email"=>"none@test.com"}, "1"=>{"email"=>"nothing@test.com"}}}

If you want to specify what keys you want from each numeric key, you can instead specify each one individually

params = ActionController::Parameters.new({
  person: {
    '0': {
      email: "none@test.com",
      phone: "555-1234"
    },
    '1': {
      email: "nothing@test.com",
      phone: "555-6789"
    },
  }
})
params.permit(person: { '0': [:email], '1': [:phone]}).to_h
# => {"person"=>{"0"=>{"email"=>"none@test.com"}, "1"=>{"phone"=>"555-6789"}}}
# File lib/action_controller/metal/strong_parameters.rb, line 596
def permit(*filters)
  params = self.class.new

  filters.flatten.each do |filter|
    case filter
    when Symbol, String
      permitted_scalar_filter(params, filter)
    when Hash
      hash_filter(params, filter)
    end
  end

  unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters

  params.permit!
end
permit!() click to toggle source

Sets the permitted attribute to true. This can be used to pass mass assignment. Returns self.

class Person < ActiveRecord::Base
end

params = ActionController::Parameters.new(name: "Francesco")
params.permitted?  # => false
Person.new(params) # => ActiveModel::ForbiddenAttributesError
params.permit!
params.permitted?  # => true
Person.new(params) # => #<Person id: nil, name: "Francesco">
# File lib/action_controller/metal/strong_parameters.rb, line 410
def permit!
  each_pair do |key, value|
    Array.wrap(value).flatten.each do |v|
      v.permit! if v.respond_to? :permit!
    end
  end

  @permitted = true
  self
end
permitted?() click to toggle source

Returns true if the parameter is permitted, false otherwise.

params = ActionController::Parameters.new
params.permitted? # => false
params.permit!
params.permitted? # => true
# File lib/action_controller/metal/strong_parameters.rb, line 394
def permitted?
  @permitted
end
reject(&block) click to toggle source

Returns a new ActionController::Parameters instance with items that the block evaluates to true removed.

# File lib/action_controller/metal/strong_parameters.rb, line 783
def reject(&block)
  new_instance_with_inherited_permitted_status(@parameters.reject(&block))
end
reject!(&block) click to toggle source

Removes items that the block evaluates to true and returns self.

# File lib/action_controller/metal/strong_parameters.rb, line 788
def reject!(&block)
  @parameters.reject!(&block)
  self
end
Also aliased as: delete_if
require(key) click to toggle source

This method accepts both a single key and an array of keys.

When passed a single key, if it exists and its associated value is either present or the singleton false, returns said value:

ActionController::Parameters.new(person: { name: "Francesco" }).require(:person)
# => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>

Otherwise raises ActionController::ParameterMissing:

ActionController::Parameters.new.require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty: person

ActionController::Parameters.new(person: nil).require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty: person

ActionController::Parameters.new(person: "\t").require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty: person

ActionController::Parameters.new(person: {}).require(:person)
# ActionController::ParameterMissing: param is missing or the value is empty: person

When given an array of keys, the method tries to require each one of them in order. If it succeeds, an array with the respective return values is returned:

params = ActionController::Parameters.new(user: { ... }, profile: { ... })
user_params, profile_params = params.require([:user, :profile])

Otherwise, the method re-raises the first exception found:

params = ActionController::Parameters.new(user: {}, profile: {})
user_params, profile_params = params.require([:user, :profile])
# ActionController::ParameterMissing: param is missing or the value is empty: user

Technically this method can be used to fetch terminal values:

# CAREFUL
params = ActionController::Parameters.new(person: { name: "Finn" })
name = params.require(:person).require(:name) # CAREFUL

but take into account that at some point those ones have to be permitted:

def person_params
  params.require(:person).permit(:name).tap do |person_params|
    person_params.require(:name) # SAFER
  end
end

for example.

# File lib/action_controller/metal/strong_parameters.rb, line 471
def require(key)
  return key.map { |k| require(k) } if key.is_a?(Array)
  value = self[key]
  if value.present? || value == false
    value
  else
    raise ParameterMissing.new(key, @parameters.keys)
  end
end
Also aliased as: required
required(key)
Alias for: require
reverse_merge(other_hash) click to toggle source

Returns a new ActionController::Parameters instance with all keys from current hash merged into other_hash.

# File lib/action_controller/metal/strong_parameters.rb, line 839
def reverse_merge(other_hash)
  new_instance_with_inherited_permitted_status(
    other_hash.to_h.merge(@parameters)
  )
end
Also aliased as: with_defaults
reverse_merge!(other_hash) click to toggle source

Returns the current ActionController::Parameters instance with current hash merged into other_hash.

# File lib/action_controller/metal/strong_parameters.rb, line 848
def reverse_merge!(other_hash)
  @parameters.merge!(other_hash.to_h) { |key, left, right| left }
  self
end
Also aliased as: with_defaults!
select(&block) click to toggle source

Returns a new ActionController::Parameters instance with only items that the block evaluates to true.

# File lib/action_controller/metal/strong_parameters.rb, line 770
def select(&block)
  new_instance_with_inherited_permitted_status(@parameters.select(&block))
end
select!(&block) click to toggle source

Equivalent to Hash#keep_if, but returns nil if no changes were made.

# File lib/action_controller/metal/strong_parameters.rb, line 775
def select!(&block)
  @parameters.select!(&block)
  self
end
Also aliased as: keep_if
slice(*keys) click to toggle source

Returns a new ActionController::Parameters instance that includes only the given keys. If the given keys don’t exist, returns an empty hash.

params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.slice(:a, :b) # => #<ActionController::Parameters {"a"=>1, "b"=>2} permitted: false>
params.slice(:d)     # => #<ActionController::Parameters {} permitted: false>
# File lib/action_controller/metal/strong_parameters.rb, line 675
def slice(*keys)
  new_instance_with_inherited_permitted_status(@parameters.slice(*keys))
end
slice!(*keys) click to toggle source

Returns the current ActionController::Parameters instance which contains only the given keys.

# File lib/action_controller/metal/strong_parameters.rb, line 681
def slice!(*keys)
  @parameters.slice!(*keys)
  self
end
to_h() click to toggle source

Returns a safe ActiveSupport::HashWithIndifferentAccess representation of the parameters with all unpermitted keys removed.

params = ActionController::Parameters.new({
  name: "Senjougahara Hitagi",
  oddity: "Heavy stone crab"
})
params.to_h
# => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash

safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
# File lib/action_controller/metal/strong_parameters.rb, line 285
def to_h
  if permitted?
    convert_parameters_to_hashes(@parameters, :to_h)
  else
    raise UnfilteredParameters
  end
end
to_hash() click to toggle source

Returns a safe Hash representation of the parameters with all unpermitted keys removed.

params = ActionController::Parameters.new({
  name: "Senjougahara Hitagi",
  oddity: "Heavy stone crab"
})
params.to_hash
# => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash

safe_params = params.permit(:name)
safe_params.to_hash # => {"name"=>"Senjougahara Hitagi"}
# File lib/action_controller/metal/strong_parameters.rb, line 305
def to_hash
  to_h.to_hash
end
to_param(*args)
Alias for: to_query
to_query(*args) click to toggle source

Returns a string representation of the receiver suitable for use as a URL query string:

params = ActionController::Parameters.new({
  name: "David",
  nationality: "Danish"
})
params.to_query
# => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash

safe_params = params.permit(:name, :nationality)
safe_params.to_query
# => "name=David&nationality=Danish"

An optional namespace can be passed to enclose key names:

params = ActionController::Parameters.new({
  name: "David",
  nationality: "Danish"
})
safe_params = params.permit(:name, :nationality)
safe_params.to_query("user")
# => "user%5Bname%5D=David&user%5Bnationality%5D=Danish"

The string pairs "key=value" that conform the query string are sorted lexicographically in ascending order.

# File lib/action_controller/metal/strong_parameters.rb, line 335
def to_query(*args)
  to_h.to_query(*args)
end
Also aliased as: to_param
to_s() click to toggle source

Returns the content of the parameters as a string.

# File lib/action_controller/metal/strong_parameters.rb, line 187
    
to_unsafe_h() click to toggle source

Returns an unsafe, unfiltered ActiveSupport::HashWithIndifferentAccess representation of the parameters.

params = ActionController::Parameters.new({
  name: "Senjougahara Hitagi",
  oddity: "Heavy stone crab"
})
params.to_unsafe_h
# => {"name"=>"Senjougahara Hitagi", "oddity" => "Heavy stone crab"}
# File lib/action_controller/metal/strong_parameters.rb, line 349
def to_unsafe_h
  convert_parameters_to_hashes(@parameters, :to_unsafe_h)
end
Also aliased as: to_unsafe_hash
to_unsafe_hash()
Alias for: to_unsafe_h
transform_keys(&block) click to toggle source

Returns a new ActionController::Parameters instance with the results of running block once for every key. The values are unchanged.

# File lib/action_controller/metal/strong_parameters.rb, line 728
def transform_keys(&block)
  return to_enum(:transform_keys) unless block_given?
  new_instance_with_inherited_permitted_status(
    @parameters.transform_keys(&block)
  )
end
transform_keys!(&block) click to toggle source

Performs keys transformation and returns the altered ActionController::Parameters instance.

# File lib/action_controller/metal/strong_parameters.rb, line 737
def transform_keys!(&block)
  return to_enum(:transform_keys!) unless block_given?
  @parameters.transform_keys!(&block)
  self
end
transform_values() { |convert_value_to_parameters(v)| ... } click to toggle source

Returns a new ActionController::Parameters instance with the results of running block once for every value. The keys are unchanged.

params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
params.transform_values { |x| x * 2 }
# => #<ActionController::Parameters {"a"=>2, "b"=>4, "c"=>6} permitted: false>
# File lib/action_controller/metal/strong_parameters.rb, line 711
def transform_values
  return to_enum(:transform_values) unless block_given?
  new_instance_with_inherited_permitted_status(
    @parameters.transform_values { |v| yield convert_value_to_parameters(v) }
  )
end
transform_values!() { |convert_value_to_parameters(v)| ... } click to toggle source

Performs values transformation and returns the altered ActionController::Parameters instance.

# File lib/action_controller/metal/strong_parameters.rb, line 720
def transform_values!
  return to_enum(:transform_values!) unless block_given?
  @parameters.transform_values! { |v| yield convert_value_to_parameters(v) }
  self
end
value?(value) click to toggle source

Returns true if the given value is present for some key in the parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 195
    
values() click to toggle source

Returns a new array of the values of the parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 209
delegate :keys, :values, :has_value?, :value?, :empty?, :include?,
  :as_json, :to_s, :each_key, to: :@parameters
values_at(*keys) click to toggle source

Returns values that were assigned to the given keys. Note that all the Hash objects will be converted to ActionController::Parameters.

# File lib/action_controller/metal/strong_parameters.rb, line 818
def values_at(*keys)
  convert_value_to_parameters(@parameters.values_at(*keys))
end
with_defaults(other_hash)
Alias for: reverse_merge
with_defaults!(other_hash)
Alias for: reverse_merge!

Protected Instance Methods

each_nested_attribute() { |v| ... } click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 912
def each_nested_attribute
  hash = self.class.new
  self.each { |k, v| hash[k] = yield v if Parameters.nested_attribute?(k, v) }
  hash
end
nested_attributes?() click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 908
def nested_attributes?
  @parameters.any? { |k, v| Parameters.nested_attribute?(k, v) }
end

Private Instance Methods

array_of_permitted_scalars?(value) { |value| ... } click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 1053
def array_of_permitted_scalars?(value)
  if value.is_a?(Array) && value.all? { |element| permitted_scalar?(element) }
    yield value
  end
end
convert_hashes_to_parameters(key, value) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 940
def convert_hashes_to_parameters(key, value)
  converted = convert_value_to_parameters(value)
  @parameters[key] = converted unless converted.equal?(value)
  converted
end
convert_parameters_to_hashes(value, using) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 925
def convert_parameters_to_hashes(value, using)
  case value
  when Array
    value.map { |v| convert_parameters_to_hashes(v, using) }
  when Hash
    value.transform_values do |v|
      convert_parameters_to_hashes(v, using)
    end.with_indifferent_access
  when Parameters
    value.send(using)
  else
    value
  end
end
convert_value_to_parameters(value) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 946
def convert_value_to_parameters(value)
  case value
  when Array
    return value if converted_arrays.member?(value)
    converted = value.map { |_| convert_value_to_parameters(_) }
    converted_arrays << converted.dup
    converted
  when Hash
    self.class.new(value, @logging_context)
  else
    value
  end
end
each_element(object, filter) { |object| ... } click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 966
def each_element(object, filter, &block)
  case object
  when Array
    object.grep(Parameters).filter_map(&block)
  when Parameters
    if object.nested_attributes? && !specify_numeric_keys?(filter)
      object.each_nested_attribute(&block)
    else
      yield object
    end
  end
end
hash_filter(params, filter) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 1065
def hash_filter(params, filter)
  filter = filter.with_indifferent_access

  # Slicing filters out non-declared keys.
  slice(*filter.keys).each do |key, value|
    next unless value
    next unless has_key? key

    if filter[key] == EMPTY_ARRAY
      # Declaration { comment_ids: [] }.
      array_of_permitted_scalars?(self[key]) do |val|
        params[key] = val
      end
    elsif filter[key] == EMPTY_HASH
      # Declaration { preferences: {} }.
      if value.is_a?(Parameters)
        params[key] = permit_any_in_parameters(value)
      end
    elsif non_scalar?(value)
      # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }.
      params[key] = each_element(value, filter[key]) do |element|
        element.permit(*Array.wrap(filter[key]))
      end
    end
  end
end
initialize_copy(source) click to toggle source
Calls superclass method
# File lib/action_controller/metal/strong_parameters.rb, line 1124
def initialize_copy(source)
  super
  @parameters = @parameters.dup
end
new_instance_with_inherited_permitted_status(hash) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 919
def new_instance_with_inherited_permitted_status(hash)
  self.class.new(hash, @logging_context).tap do |new_instance|
    new_instance.permitted = @permitted
  end
end
non_scalar?(value) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 1059
def non_scalar?(value)
  value.is_a?(Array) || value.is_a?(Parameters)
end
permit_any_in_array(array) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 1109
def permit_any_in_array(array)
  [].tap do |sanitized|
    array.each do |element|
      case element
      when ->(e) { permitted_scalar?(e) }
        sanitized << element
      when Parameters
        sanitized << permit_any_in_parameters(element)
      else
        # Filter this one out.
      end
    end
  end
end
permit_any_in_parameters(params) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 1092
def permit_any_in_parameters(params)
  self.class.new.tap do |sanitized|
    params.each do |key, value|
      case value
      when ->(v) { permitted_scalar?(v) }
        sanitized[key] = value
      when Array
        sanitized[key] = permit_any_in_array(value)
      when Parameters
        sanitized[key] = permit_any_in_parameters(value)
      else
        # Filter this one out.
      end
    end
  end
end
permitted_scalar?(value) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 1024
def permitted_scalar?(value)
  PERMITTED_SCALAR_TYPES.any? { |type| value.is_a?(type) }
end
permitted_scalar_filter(params, permitted_key) click to toggle source

Adds existing keys to the params if their values are scalar.

For example:

puts self.keys #=> ["zipcode(90210i)"]
params = {}

permitted_scalar_filter(params, "zipcode")

puts params.keys # => ["zipcode"]
# File lib/action_controller/metal/strong_parameters.rb, line 1038
def permitted_scalar_filter(params, permitted_key)
  permitted_key = permitted_key.to_s

  if has_key?(permitted_key) && permitted_scalar?(self[permitted_key])
    params[permitted_key] = self[permitted_key]
  end

  each_key do |key|
    next unless key =~ /\(\d+[if]?\)\z/
    next unless $~.pre_match == permitted_key

    params[key] = self[key] if permitted_scalar?(self[key])
  end
end
specify_numeric_keys?(filter) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 960
def specify_numeric_keys?(filter)
  if filter.respond_to?(:keys)
    filter.keys.any? { |key| /\A-?\d+\z/.match?(key) }
  end
end
unpermitted_keys(params) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 992
def unpermitted_keys(params)
  keys - params.keys - always_permitted_parameters
end
unpermitted_parameters!(params) click to toggle source
# File lib/action_controller/metal/strong_parameters.rb, line 979
def unpermitted_parameters!(params)
  unpermitted_keys = unpermitted_keys(params)
  if unpermitted_keys.any?
    case self.class.action_on_unpermitted_parameters
    when :log
      name = "unpermitted_parameters.action_controller"
      ActiveSupport::Notifications.instrument(name, keys: unpermitted_keys, context: @logging_context)
    when :raise
      raise ActionController::UnpermittedParameters.new(unpermitted_keys)
    end
  end
end