What is `params.require(:person).permit(:name, :age)` doing in Rails 4?

The params in a controller looks like a Hash, but it's actually an instance of ActionController::Parameters, which provides several methods such as require and permit.

The require method ensures that a specific parameter is present, and if it's not provided, the require method throws an error. It returns an instance of ActionController::Parameters for the key passed into require.

The permit method returns a copy of the parameters object, returning only the permitted keys and values. When creating a new ActiveRecord model, only the permitted attributes are passed into the model.

It looks a lot like the whitelisting that was formerly included in ActiveRecord models, but it makes more sense for it to be in the controller.


To be more precise, when you create for eg. doing .new(...), there must be :person hash indicated by require and the person hash will only accept :name and :age indicated by permit.

Example:

.new(person: { name: "Bhojendra", age: 32 }) // okay
.new(person: { name: "Rauniyar" }) // okay
.new(person: { name: "Bhojendra", other: 'asdf' }) // not okay, other not permitted
.new(person: { full_name: "Bhojendra Rauniyar" }) // not okay, full_name not permitted
.new(detail: { name: "Bhojendra", age: 32 }) // not okay, must be person