In Rails 4 disable Strong Parameters by default

Question

Is there anyway to disable using strong params?

And I know it's a security vulnerability but I really don't need it / want it.

score 48 · Answer 1 · answered Sep 11 '13 at 21:05

48

Turning off attribute protection is almost always a bad idea.

With that obligatory note out of the way, here's how to turn it off:

config.action_controller.permit_all_parameters = true

Place this in config/application.rb

answered Sep 11 '13 at 21:05

iain

16,204
4
37
41

Just tried this and it didn't work for me (on a Rails 4.0.0 app). – Batkins Sep 30 '13 at 20:57
2

Worked for me. Agreed - it's generally a bad idea - but my use case is an admin site where admins can change anything. – Zubin Oct 01 '13 at 00:11
1

It worked for me. Be sure to put the line inside your Application class and reboot the HTTP server. – Guildenstern70 Dec 01 '14 at 17:47
5

This tip is invaluable when migrating an older (Rails 3.2) app and trying to get to get the existing specs working as a first pass at the migration, before going through the job of reworking every single model and controller to use the new mass assignment protection approach adopted in Rails 4. – jpw Sep 01 '15 at 06:44

score 6 · Answer 2 · answered Dec 04 '14 at 21:12

I ran into this problem where I was trying to store all the params from a webhook from Stripe.

If you want to allow all parameters for a single instance, your can call #to_hash on your params object before passing it into your initialize method.

Ex:

@my_object = MyObject.new(params[:my_object].to_hash)

score 4 · Accepted Answer · answered Aug 07 '13 at 00:38

4

If by "disable" you mean falling back to Rails 3-style attr_accessible lines, then yes.

Just use the protected_attributes gem.

answered Aug 07 '13 at 00:38

Marcelo De Polli

28,123
4
37
47

score 2 · Answer 4 · answered Aug 07 '13 at 00:34

2

I don't think so.

DHH comments here on this pull request to add a disable switch to strong parameters

All this is a legacy concern anyway soon as Rails 4.0 will force strong parameters on everyone and you won't be able to turn it off.

answered Aug 07 '13 at 00:34

Althaf Hameez

1,511
1
10
18

score 1 · Answer 5 · answered May 19 '16 at 12:46

to stop the forbidden attributes being checked for your applications you can patch out the check ..

for example put the following code in

config/initializers/disable_strong_parameters.rb

module ActiveModel
  module ForbiddenAttributesProtection
    protected
      def sanitize_for_mass_assignment(attributes)
          attributes
      end
      alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
  end
end

score -2 · Answer 6 · answered May 21 '14 at 07:37

-2

Of course you can! According to Strong Parameters's official Docs(https://github.com/rails/strong_parameters), you can disable by adding below codes to your config/application.rb:

config.active_record.whitelist_attributes = false

It works for me in rails 3.2

answered May 21 '14 at 07:37

albert yu

165
1
5

2

this is to disable protected_attributes – brauliobo Sep 26 '14 at 22:21

In Rails 4 disable Strong Parameters by default

6 Answers6