Automatically permit params submitted via a FormBuilder'd form

Hi,

I was wondering about transparently permitting parameters submitted through a (signed) form. I assume many people have already had this idea, so maybe there are some caveats which make it a no-go?

The idea of moving mass-assignment protection from the M to the VC is great, but the duplication in the views and controllers bothers me. The form rendered with a FormBuilder already has all the information, which fields are permitted. So why not include a hidden input with the field names (and a secure checksum) as part of the form submission?

There probably needs to be a lower-level API to declare a field as permitted without rendering it (so that the form can be manipulated on client side with JS), or maybe even conditionally modify the field list in the controller, and probably a million other tweaks, but the simplest solution should work for most cases. Some controllers handling form-less requests (e.g. API requests) would of course still need to explicitly whitelist their params.

I’d like to work on it if you guys think that’s a good idea.

Yehuda Katz started an implementation of this feature and found some problems with cached forms. We end up to not implement this for Rails 4.

Maybe he can give more information about the problems.

Yehuda Katz started an implementation of this feature and found some problems with cached forms. We end up to not implement this for Rails 4.
Maybe he can give more information about the problems.

Thanks Rafael. I’m curious about the problems that Yehuda ran into. I’ve been thinking about caching as well, but I can’t think of a situation where it may be a problem - after all, the fields list and the checksum should be a function of the form inputs and the server-side secret, not cookies, the session or anything else request-specific. What am I missing?