Rails: Using require and permit for attributes

Raising errors for required and permitted attributes makes it easier to find errors in your application during development and in tests. Consider this approach if you want to strengthen the params handling in your application.

Example

Copy# config/application.rb

config.action_controller.action_on_unpermitted_parameters = :raise

Copydef user_params
  params.require(:user).permit(:full_name)
end

Effects

• This raises an error ActionController::ParameterMissing if there is no required parameter:

  • In production users see a bad request error page.
  • In production the error is ignored in Sentry Show archive.org snapshot by default.

• This raises an error ActionController::UnpermittedParameters if there is an unpermitted parameter:

  • You need to manually merge it to the rescue_responses in case users should see a bad request error page.
  • You need to add it manually to sentry on the ignore list in case it should not be reported as exception.

Notes

You need to decide, which configuration between different environment works good for you. By default Rails uses these settings for your application:

• require(:user) raises in all environments ActionController::ParameterMissing if the user is missing
• permit(:full_name) logs the error ActionController::UnpermittedParameters in development + test and do nothing in production.

Option 1: In case you use action_on_unpermitted_parameters = :raise for all environments, you might notice many exceptions due to bots or users submitting unpermitted params. This might create unnecessary noise in your error monitoring with many false positives.

Option 2: In case you use action_on_unpermitted_parameters = :raise in development + test, but keep action_on_unpermitted_parameters = false in production, your application behaves different between these environments. On the other hand it forces to fix these errors in development instead of ignoring these in the logs. For RSpec you might want to use allow(ActionController::Parameters).to receive(:action_on_unpermitted_parameters).and_return(false) for tests, that should behave exactly like in production.