merb-param-protection
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||
merb-param-protection
=================
This plugin exposes three new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
Setup:
The request sets:
params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
Example 1: params_accessable
MyController < Application
params_accessible :post => [:title, :body]
end
params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
So we see that params_accessible removes everything except what is explictly specified.
Example 2: params_protected
MyOtherController < Application
params_protected :post => [:status, :author_id]
end
params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
We also see that params_protected removes ONLY those parameters explicitly specified.
Sometimes you have certain post parameters that are best left unlogged, we support that too. Your
actions continue to receive the variable correctly, but the requested parameters are scrubbed
at log time.
MySuperDuperController < Application
log_params_filtered :password
end
params.inspect # => { :username => 'atmos', :password => '[FILTERED]' }