Strong parameters with Rails and Devise

Question

I am using the rails 4.0 branch of devise along with ruby 2.0.0p0 and Rails 4.0.0.beta1.

This is the kind of question where I am checking if I'm doing it the right way, or if there are other things I should be doing. I'm sure a lot of people moving to Rails 4.0 are facing the same problems (after googling for similar things).

I have read the following links:

• Devise and Strong Parameters
• https://gist.github.com/kazpsp/3350730
• https://github.com/plataformatec/devise/tree/rails4#strong-parameters

Now using devise I created a User model, I created the following controller using the above gists (and made sure to include it in my routes file). My extra parameters are first_name and last_name.

class Users::RegistrationsController < Devise::RegistrationsController
  def sign_up_params
    params.require(:user).permit(:first_name, :last_name, :email, :password, :password_confirmation)
  end
  def account_update_params
    params.require(:user).permit(:first_name, :last_name, :email, :password, :password_confirmation, :current_password)
  end
  private :sign_up_params
  private :account_update_params
end

Is there anything else I should be doing? Is this the best way of doing things from now on (since dropping attr_accessor). My forms seem to be working fine (both the new and update). The gists said to use "resource_params" but that always gave the "Unpermitted parameters" error in my server log.

Answer 1

Thanks for the latest updates on Rails4 branch of Devise, it doesn't really need to insert 'resource_params'.

I've created a brand new Rails4 app and followed basic Devise installation steps and my app works properly, so I think, you've done well.

But there is a modified gist which gives you some extra details in terms of permitted parameters if you need:

Source: https://gist.github.com/bluemont/e304e65e7e15d77d3cb9

# controllers/users/registrations_controller.rb
class Users::RegistrationsController < Devise::RegistrationsController

  before_filter :configure_permitted_parameters

  protected

  # my custom fields are :name, :heard_how
  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) do |u|
      u.permit(:name, :heard_how,
        :email, :password, :password_confirmation)
    end
    devise_parameter_sanitizer.for(:account_update) do |u|
      u.permit(:name,
        :email, :password, :password_confirmation, :current_password)
    end
  end
end

Answer 2

For Rails 5, Devise 4 Use this:

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, :email, :password, :password_confirmation])
  end
end

Reference

Answer 3

It works very nice with adding an module in config/initializers with all parameters like this

module DevisePermittedParameters
  extend ActiveSupport::Concern

  included do
    before_filter :configure_permitted_parameters
  end

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:first_name, :last_name, :email, :password, :password_confirmation) }
  end

end

DeviseController.send :include, DevisePermittedParameters