strong_parameters gem and custom devise routes in Rails 4

Question

I have upgraded to Rails 4 and have gone the strong_parameters route. The problem is that it's throwing the following error pointing to the customer registrations controller I'm using for Devise:

ActiveModel::ForbiddenAttributesError (ActiveModel::ForbiddenAttributesError):
  app/controllers/users/registrations_controller.rb:89:in `build_resource'
  app/controllers/users/registrations_controller.rb:6:in `create'

Line 6 is build_resource being called from the create method and build_resource is stock standard:

def build_resource(hash=nil)
  hash ||= resource_params || {}
  self.resource = resource_class.new_with_session(hash, session)
end

The model it is dealing with is User. I have tried Ryan Bates' approach of creating a permitted params class:

class PermittedParams < Struct.new(:params, :current_user)

    def user
      params.require(:user).permit(*user_attributes)
    end

    def user_attributes
      [:name, :username, :provider, :email, :remember_me,
       :rememberable_token, :password, :password_confirmation]
    end

I'm not sure how to handle this in the registrations controller.

Answer 1

Devise is just released a new rc gem which is compatible with Rails 4.

gem 'devise', '~> 3.0.0.rc'

Other option, you could use 'rails4' branch from devise master github repo.

gem 'devise', github: 'plataformatec/devise', branch: 'rails4'

And of course don't forget a 'bundle install' after Gemfile update.

Answer 2

I found out you have to add this to the registrations controller:

class Users::RegistrationsController < Devise::RegistrationsController
  def resource_params
    params.require(:user).permit(:name, :email, :password, :password_confirmation) # And whatever other params you need
  end 
  private :resource_params
end