I'm in the process of extracting some parts of a project into an engine and I wanted to whitelist user params in such a way that the user doesn't have to configure anything.
This is what I ultimately came up with:
def user_params
params.permit(::User.columns.map(&:name), :current_password, :password, :password_confirmation)
end
It works so far (it allows all attributes in the user model and seems to reject anything else), however, I can't find another implementation of this in my searching that does it the same way and I'm wondering if that's because there's something I'm not seeing.
Is there a security vulnerability with setting strong params up like this?
Is there a security vulnerability with setting strong params up like this?
Yes, there is. This defeats the purpose of whitelisting, which is to allow some fields, but not the others. Malicious clients will be able to write any of your fields, including, say, roles or is_admin.
If you don't have any restricted fields, you may skip strong params entirely and just use params[:user] (or params if your attributes are at the top level as shown in the question). The end result will be the same, but at least you won't have any illusions of security.