Devise allowing all attributes by default in Rails 4

Question

I'm currently running the following:

Rails 4.0.2
Devise 3.2.2

From the Devise documentation it states that Strong Parameters will block all but the following attributes by default - email, password, password_confirmation, current_password.

I edited the new.html.erb in my registration Devise Views to contain three additional attributes - first_name, last_name, profile_name as shown below.

<h2>Sign up</h2>

<%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
  <%= devise_error_messages! %>
  <div><%= f.label :first_name %><br />
    <%= f.text_field :first_name %></div>

  <div><%= f.label :last_name %><br />
    <%= f.text_field :last_name %></div>

  <div><%= f.label :profile_name %><br />
    <%= f.text_field :profile_name %></div>

  <div><%= f.label :email %><br />
  <%= f.email_field :email, :autofocus => true %></div>

  <div><%= f.label :password %><br />
  <%= f.password_field :password %></div>

  <div><%= f.label :password_confirmation %><br />
  <%= f.password_field :password_confirmation %></div>

  <div><%= f.submit "Sign up" %></div>
<% end %>

<%= render "devise/shared/links" %>

For some reason a user can still register by inputting information in all the fields, even the new fields that I added. Is there a reason my attributes are all being allowed by default?

I'm new to programming and I'm following my first rails tutorial so I'm sure I'm making a completely obvious mistake but I can't figure it out and haven't been able to find the same problem by searching online.

Thank you

Answer 1

With strong parameters there is no implicit validation on the client side as to whether or not the fields are allowed, but these fields will not actually be saved to the database until you explicitly permit them in your controller. You should be able to verify that the controller is blocking those fields by watching your server console during the create/update action.

Answer 2

Gemfile

gem "strong_parameters"

config/application.rb

config.active_record.whitelist_attributes = false

aplication_controller

before_filter :configure_permitted_parameters, if: :devise_controller?


  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :first_name

  end

Answer 3

The user could enter, but it's not permitted for mass assignment. The following are from Devise README:

In case you want to permit additional parameters (the lazy way™) you can do with a simple before filter in your ApplicationController:

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end
end

Read more about this on Devise's README, strong parameter section.