strong parameters permit all attributes for nested attributes

The only situation I have encountered where permitting arbitrary keys in a nested params hash seems reasonable to me is when writing to a serialized column. I've managed to handle it like this:

class Post  serialize :options, JSONendclass PostsController < ApplicationController  ...  def post_params    all_options = params.require(:post)[:options].try(:permit!)    params.require(:post).permit(:title).merge(:options => all_options)  endend

try makes sure we do not require the presents of an :options key.

Actually there is a way to just white-list all nested parameters.

params.require(:lever).permit(:name).tap do |whitelisted|  whitelisted[:lever_benefit_attributes ] = params[:lever][:lever_benefit_attributes ]end

This method has advantage over other solutions. It allows to permit deep-nested parameters.

While other solutions like:

nested_keys = params.require(:lever).fetch(:lever_benefit_attributes, {}).keysparams.require(:lever).permit(:name,:lever_benefit_attributes => nested_keys)

Don't.

Source:

https://github.com/rails/rails/issues/9454#issuecomment-14167664

First, make sure that you really want to allow all values in a nested hash. Read through Damien MATHIEU's answer to understand the potential opening of security holes...

If you still need/want to allow all values in a hash (there are perfectly valid use cases for this, e.g. storing unstructured, user-provided metadata for a record), you can achieve it using the following bits of code:

def lever_params  nested_keys = params.require(:lever).fetch(:lever_benefit_attributes, {}).keys  params.require(:lever).permit(:name,:lever_benefit_attributes => nested_keys)end

Note: This is very similar to tf.'s answer but a bit more elegant since you will not get any Unpermitted parameters: lever_benefit_attributes warnings/errors.