blacklists with strong parameters

Hi guys,

why ActionController::Parameters does not come with a #deny method along with #permit ?

I deal frequently into situations in which i would prevent malicious assignments of one or two attributes while the other should be all “permitted”.

So this:

current_user.invoices.create! params.require(:invoice).deny(:user_id)

would be quicker than:

current_user.invoices.create! params.require(:invoice).permit(:name, :address, :email, … )

But unless i’m missing something there is no way to ‘blacklist’ parameters, is there a particular reason for that?

Maurizio

Presumably it’s because blacklisting has been proven to be less secure than whitelisting. That’s also why in Rails 3, attr_accessible is considered safer than attr_protected.

In other words, if you were to add a new attr a month after writing the controller, it’s more secure to default that new attr to not being permitted than to default it to being permitted. Whitelisting achieves this.

Brian

If you really must, you could e.g. define a method on invoice along the lines of (untested)

def self.permitted_params

attribute_names - [“user_id”]

end

and then do

permit(*Invoice.permitted_params)

But like Brian said, whitelisting is more secure.