As the lack of answers seemed to indicate I was barking up the wrong tree here. The issue lies not with strong_parameters but with the CanCan gem that I use for doing role and action based authorization. Apparently it's got to do with how CanCan assigns params to objects (CanCan takes over the default ActionController methods) - see the details in this bug report, specifically the reply from "rewritten". In short, putting this in my application controller solves the problem:
before_filter do
resource = controller_name.singularize.to_sym
method = "#{resource}_params"
params[resource] &&= send(method) if respond_to?(method, true)
end
Update:
As pointed out by @scaryguy, if the method above is called from a controller that does not have an associated model it will fall over. The solution is simply to name the method and call it as a before_filter, while explicitly excluding it in those controllers which have no models (and hence would not benefit from CanCan's automatic ability assignment anyway). I reckon something like this:
before_filter :can_can_can
def can_can_can
resource = controller_name.singularize.to_sym
method = "#{resource}_params"
params[resource] &&= send(method) if respond_to?(method, true)
end
And then in the model-less controller:
skip_before_filter :can_can_can