1

In Rails in your models_controller you can either whitelist your attributes:

def deal_params
  params.require(:deal).permit(:name, :phone])
end

or blacklist your attributes

def deal_params
  params.require(:deal).permit!.except(:id)
end

In Pundit you can whitelist your attributes:

class DealPolicy < ApplicationPolicy
  def permitted_attributes
    if user.admin? || user.owner_of?(deal)
        [:name, :phone]
    else
        [:whatever_else_a_non-admin_can_modify]
    end
  end
end

but is it possible to blacklist them in any way?

As a side note, one should be aware of security risks with blacklisting attributes.

Chris Cirefice
  • 5,475
  • 7
  • 45
  • 75
arthur
  • 348
  • 4
  • 16
  • 1
    Hey Art, after reading into [Pundit's source code](https://github.com/elabs/pundit/blob/master/lib/pundit.rb#L142), it seems like the `permitted_attributes` method is hard-coded only to accept the `permitted_attributes` on the `Policy`. That said, the thing is hard-coded to only `permit` the array of attributes that you give in your `Policy` class, and as such one cannot `permit!.except([list_of_attributes])`. I [opened up an issue](https://github.com/elabs/pundit/issues/312) in order to add the ability to blacklist attributes. – Chris Cirefice Aug 26 '15 at 16:55
  • Thanks Chris. I like your comprehensive explanation in the issue with arguments and links. – arthur Aug 27 '15 at 12:55
  • 1
    Hey Art. Unfortunately it looks like the Pundit authors don't want to make it easier for Pundit users to start blacklisting attributes, so I suppose that we're stuck with whitelisting. Subscribe to notifications on my Github issue though, they may change their minds! – Chris Cirefice Aug 27 '15 at 13:06

0 Answers0