blacklists with strong parameters

Hi guys,

why ActionController::Parameters does not come with a #deny method along with #permit ?

I deal frequently into situations in which i would prevent malicious assignments of one or two attributes while the other should be all “permitted”.

So this:

current_user.invoices.create! params.require(:invoice).deny(:user_id)

would be quicker than:

current_user.invoices.create! params.require(:invoice).permit(:name, :address, :email, … )

But unless i’m missing something there is no way to ‘blacklist’ parameters, is there a particular reason for that?


Presumably it’s because blacklisting has been proven to be less secure than whitelisting. That’s also why in Rails 3, attr_accessible is considered safer than attr_protected.

In other words, if you were to add a new attr a month after writing the controller, it’s more secure to default that new attr to not being permitted than to default it to being permitted. Whitelisting achieves this.


If you really must, you could e.g. define a method on invoice along the lines of (untested)

def self.permitted_params

attribute_names - [“user_id”]


and then do


But like Brian said, whitelisting is more secure.