strong parameters in rails 4.0 simple Devise implementation

Question

I've gone through the documentation but I still can't get my head around the syntax/formatting.

I am pretty new in rails. I have this in my model:

attr_accessible :email, :username

Because of the changes in rails 4.0 this need to be moved over to my controller.

If I put this in my controller would it be correct(This is what I think documentation says to do but not sure if I interpreted correctly):

before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end 

To me something like this makes more sense, can I do this?:

protected
  def permitted_paramters
    params.require(:username, :email).permit(:username, :email)
  end

Any suggestions appreciated, thanks.

Answer 1

While it would make more sense to do a params.require like everywhere else in your controllers you cannot do so here with Devise because:

• Devise would need to know how you called your method (here permitted_parameters)
• You don't want to filter these parameters for every controller

That is why you need to use Devise's devise_parameter_sanitizer and make sure to apply it only if you are on a devise_controller?.

---

As a side note, in your second example:

params.require(:username, :email).permit(:username, :email)

The require method should not take a list of attributes but the name under which attributes are grouped. On a different controller it should rather look like this:

params.require(:user).permit(:username, :email)

This would allow the following parameters:user[username]=Joe&user[email]=joe@example.org