In Rails 4 disable Strong Parameters by default

Question

Is there anyway to disable using strong params?

And I know it's a security vulnerability but I really don't need it / want it.

Answer 1

to stop the forbidden attributes being checked for your applications you can patch out the check ..

for example put the following code in

config/initializers/disable_strong_parameters.rb

module ActiveModel
  module ForbiddenAttributesProtection
    protected
      def sanitize_for_mass_assignment(attributes)
          attributes
      end
      alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
  end
end

Answer 2

I ran into this problem where I was trying to store all the params from a webhook from Stripe.

If you want to allow all parameters for a single instance, your can call #to_hash on your params object before passing it into your initialize method.

Ex:

@my_object = MyObject.new(params[:my_object].to_hash)

Answer 3

Of course you can! According to Strong Parameters's official Docs(https://github.com/rails/strong_parameters), you can disable by adding below codes to your config/application.rb:

config.active_record.whitelist_attributes = false

It works for me in rails 3.2

Answer 4

Turning off attribute protection is almost always a bad idea.

With that obligatory note out of the way, here's how to turn it off:

config.action_controller.permit_all_parameters = true

Place this in config/application.rb

Answer 5

If by "disable" you mean falling back to Rails 3-style attr_accessible lines, then yes.

Just use the protected_attributes gem.

Answer 6

I don't think so.

DHH comments here on this pull request to add a disable switch to strong parameters

All this is a legacy concern anyway soon as Rails 4.0 will force strong parameters on everyone and you won't be able to turn it off.