Disable strong parameters for a specific action

Asked 28/5, 2015 at 14:36 Answered 25/7, 2019 at 9:3

ruby-on-rails strong-parameters ruby-on-rails-4.2

I have a serious problem with strong parameters. Its working pretty well in my about 200 actions but in one it doesn't because I'm working very dynamic with the parameters there and I also cant change it because of the applications design.

So I want to disable strong parameters validation in just this specific action. Is there a way to do this?

Misnomer answered 28/5, 2015 at 14:36 Comment(2)

Why you can not use if in this specific place??? – Multicellular 28/5, 2015 at 14:38

Because I dont know how the params will be named. My action is based on metaprogramming... – Misnomer 1/6, 2015 at 8:31

Strong parameters overrides the params method in ActionController::Base. You can simply override it and set it back to what you want yourself.

So this:

class MyController < ApplicationController
  def params
    request.parameters
  end
end

Will effectively disable strong parameters for all actions in your controller. You only wanted to disable it for a particular action though so you could do that with:

class MyController < ApplicationController
  before_action :use_unsafe_params, only: [:particular_action]

  def params
    @_dangerous_params || super
  end

  def particular_action
    # My params is unsafe
  end

  def normal_action
    # my params is safe
  end

  private

  def use_unsafe_params
    @_dangerous_params = request.parameters
  end
end

Stalagmite answered 15/12, 2016 at 12:16 Comment(0)

Not too sure if this is best practice but for Rails 5 I just use request.params instead of params anytime I want to skip strong params.

So instead of something like:

post = Post.new(params[:post])

I use:

post = Post.new(request.params[:post])

Spence answered 25/7, 2019 at 9:3 Comment(0)

You can use .permit! to whitelist any keys in a hash.

params.require(:something).permit!

However this should be treated as an extreme code smell and a security risk.

Nested hashes can be whitelisted with this trick:

params.require(:product).permit(:name, data: params[:product][:data].try(:keys))

Aquavit answered 28/5, 2015 at 14:59 Comment(7)

This wont work for me because the name of the params isn't defined staticly they are defined by the displayed object. I know this sounds like a big security hole but I implemented security mechanisms in the method logic. I really need to turn strong parameters off in one action – Misnomer 1/6, 2015 at 11:2

The only way I can think of using config.action_controller.permit_all_parameters but that is done on a per-app basis. Not per action. – Aquavit 1/6, 2015 at 11:30

Yes for the develoment mode I disabled strong parameters but of cause I can't do this in production mode – Misnomer 1/6, 2015 at 11:32

You could create some kind of function that recursively walks the params hash and whitelists it. But I can't really give you an example since I have no idea what your controller looks like. – Aquavit 1/6, 2015 at 11:37

I think its easier to modify the strong parameters gem in a way that allows disabeling the gem action specific – Misnomer 1/6, 2015 at 11:38

Yeah but hacking core is almost always a bad idea. – Aquavit 1/6, 2015 at 11:39

Let us continue this discussion in chat. – Aquavit 1/6, 2015 at 11:40

Recommended topics

Hot tags