I was wondering about transparently permitting parameters submitted through a (signed) form. I assume many people have already had this idea, so maybe there are some caveats which make it a no-go?
The idea of moving mass-assignment protection from the M to the VC is great, but the duplication in the views and controllers bothers me. The form rendered with a FormBuilder already has all the information, which fields are permitted. So why not include a hidden input with the field names (and a secure checksum) as part of the form submission?
There probably needs to be a lower-level API to declare a field as permitted without rendering it (so that the form can be manipulated on client side with JS), or maybe even conditionally modify the field list in the controller, and probably a million other tweaks, but the simplest solution should work for most cases. Some controllers handling form-less requests (e.g. API requests) would of course still need to explicitly whitelist their params.
I’d like to work on it if you guys think that’s a good idea.