Devise and Strong Parameters
Update for devise 4.x
class ApplicationController < ActionController::Base
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
devise_parameter_sanitizer.permit(:sign_in, keys: [:username])
devise_parameter_sanitizer.permit(:account_update, keys: [:username])
end
end
After adding both gems, devise will work as normal.
Update: With the latest version of Devise 3.x, as described at devise#strong-parameters, the authentication key (normally the email field), and the password fields are already permitted. However, if there are any additional fields on the signup form, you will need to let Devise know the extra fields to permit. The easiest way to do this is with a filter:
class ApplicationController < ActionController::Base
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) << :username
end
end
For Devise 2.x, if you use the safety feature requiring explicitly whitelisting tainted parameters in the user model:
include ActiveModel::ForbiddenAttributesProtection
the changes needed are found at https://gist.github.com/3350730 which overrides some of the controllers.
The easy way is to add a simple before filter in your ApplicationController. If you have different roles and/or other more complex scenario there are other options on the link below:
https://github.com/plataformatec/devise#strong-parameters
before_filter :configure_sanitized_params, if: :devise_controller?
def configure_sanitized_params
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:firstname, :designation_id, :middlename, :previous_experiance_year, :previous_experiance_month, :lastname, :email, :username, :password, :password_confirmation, :previous_experiance, :empid, :dob, :timezone, :doj, :gender, :education, :comments, :locked, :deactivated, :reason, :phone, :deactivated_date, :image) }
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:remove_image, :firstname, :designation_id, :middlename, :lastname, :email, :username, :empid, :dob, :timezone, :doj, :gender, :education, :comments, :locked, :deactivated, :reason, :phone, :deactivated_date, :image) }
end