While it would make more sense to do a params.require
like everywhere else in your controllers you cannot do so here with Devise because:
- Devise would need to know how you called your method (here
permitted_parameters
) - You don't want to filter these parameters for every controller
That is why you need to use Devise's devise_parameter_sanitizer
and make sure to apply it only if you are on a devise_controller?
.
As a side note, in your second example:
params.require(:username, :email).permit(:username, :email)
The require
method should not take a list of attributes but the name under which attributes are grouped. On a different controller it should rather look like this:
params.require(:user).permit(:username, :email)
This would allow the following parameters:user[username]=Joe&user[email]=joe@example.org