Originally published on Hint’s blog.
We all know Strong Parameters isn’t exactly cutting edge technology in 2019. It was originally introduced in Rails 3.2 (March 20, 2012) and was made the default/standard in 4.0 (June 25, 2013).
Even with Strong Parameters 7 years in the rear view mirror, there was still legacy security support in the form of the protected_attributes gem. However, with the release of Rails 5, this gem was officially unmaintained.
Based on our UpgradeRails experience helping clients move to the latest and greatest versions of Rails, this is still a large technical hurdle that many teams face.
With this in mind, we built a tool that allows for safe and confident migration to strong parameters.
We call it Moderate Parameters.
Here’s How It Works
Moderate Parameters is a tool that provides safety nets and logging of data sources in the controller by extending ActionController::Parameters functionality.
Add the gem (repo/rubygems) to your application’s Gemfile:
Then, inside of the recommended strong parameters private method, replace permit with moderate and add a little context:
(Note: controller_path and action_name need to be included as shown. They are methods that provide naming context for the logger.)
class UsersController < ActionController::Base . . . private # def user_params # params.require(:user).permit(:email, :first_name, . . .) # end def user_params params.require(:user).moderate(controller_path, action_name, :email, :first_name, . . .) end end And...that's it. Moderate Parameters will begin logging controller context and parameter keys that have not yet been whitelisted. This means that, in the above example, if you forgot to include :last_name in the list of permitted parameters while creating a user, your log would look like this: Users#create is missing :last_name from the permitted parameters Test Like You Fly We have built Moderate Parameters to be deployed to production. This way we can ensure that all parameters are being accounted for every controller in the entire Rails app. Data will still flow through the app as expected, with the added benefit of painting a clear picture of what moving to Strong Parameters **looks like. Once the full parameter list has been clearly outlined (meaning your Moderate Parameters logs are empty), switching over to Strong Parameters is as easy as swapping moderate for permit: class UsersController < ActionController::Base . . . private def user_params params.require(:user).permit(:email, :first_name, :last_name) end # def user_params # params.require(:user).moderate(controller_path, action_name, :email, :first_name, :last_name) # end end We Can Help! We have built up a set of services that can run alongside Moderate Parameters in production to procedurally parse and generate exactly what Strong Parameters should look like. If Strong Parameters or something like it is preventing you or your team from enjoying the latest in Rails security and features, let us help you ensure your success. Our team has decades of experience helping teams turn unmanageable upgrades into cutting-edge products taking advantage of all that Rails has to offer.