Devise and Strong Parameters

Update for devise 4.x

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
    devise_parameter_sanitizer.permit(:sign_in, keys: [:username])
    devise_parameter_sanitizer.permit(:account_update, keys: [:username])
  end
end

After adding both gems, devise will work as normal.

Update: With the latest version of Devise 3.x, as described at devise#strong-parameters, the authentication key (normally the email field), and the password fields are already permitted. However, if there are any additional fields on the signup form, you will need to let Devise know the extra fields to permit. The easiest way to do this is with a filter:

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end
end

For Devise 2.x, if you use the safety feature requiring explicitly whitelisting tainted parameters in the user model:

include ActiveModel::ForbiddenAttributesProtection

the changes needed are found at https://gist.github.com/3350730 which overrides some of the controllers.

Strong parameters with Rails and Devise

Thanks for the latest updates on Rails4 branch of Devise, it doesn't really need to insert 'resource_params'.

I've created a brand new Rails4 app and followed basic Devise installation steps and my app works properly, so I think, you've done well.

But there is a modified gist which gives you some extra details in terms of permitted parameters if you need:

Source: https://gist.github.com/bluemont/e304e65e7e15d77d3cb9

# controllers/users/registrations_controller.rb
class Users::RegistrationsController < Devise::RegistrationsController

  before_filter :configure_permitted_parameters

  protected

  # my custom fields are :name, :heard_how
  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) do |u|
      u.permit(:name, :heard_how,
        :email, :password, :password_confirmation)
    end
    devise_parameter_sanitizer.for(:account_update) do |u|
      u.permit(:name,
        :email, :password, :password_confirmation, :current_password)
    end
  end
end

Using Strong Parameters With Devise

You should add a before_filter in your ApplicationController to do that. Devise docs contains a section explaining this. I took the code below from there:

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end
end

In the example, the attribute :username is allowed to be parsed in the sign_up page.

Changing strong params for Devise

try this in your application_controller.rb

before_action :configure_permitted_parameters, if: :devise_controller?

protected

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email, :password) }
end

documentation https://github.com/plataformatec/devise#strong-parameters

Strong parameters - Devise 3.0.0 and Rails 4. Unpermitted parameters: name

You have to add this in controller where you have written User.create(user_params). I am assuming that UsersController.

class UsersController < ApplicationController
  def create
    User.create(user_params)
  end

  private

  def user_params
#assumption: user params are coming in params[:user]
    params.require(:user).permit(:name, :age, :and_other_params_you_want_to_allow)
  end
end

How to add strong parameters to multiple attributes of a Devise model?

If you scroll further down in your linked documentation on strong parameters, you should see how to permit multiple attributes:

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_up) { |su| su.permit(:attribute; :attribute2) }
end

Adding custom parameters to devise registration - unpermitted parameters

Looks like you just need to tell devise which parameters should be permitted. By default, devise permits the email (or username depending on configuration), password and password_confirmation params. You just need to add more.

The devise documentation suggests a "lazy way" of setting this up.

class ApplicationController < ActionController::Base
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:display_name])
  end
end

The documentation then says that

If you have nested attributes (say you're using accepts_nested_attributes_for), then you will need to tell devise about those nestings and types.

Only if you need to override the registrations#create action you should provide your custom route for devise. In that case, make sure you override the sign_up_params method too.

class Users::RegistrationsController < Devise::RegistrationsController
  def create
    # Your custom code here. Make sure you copy devise's functionality
  end

  private

  # Notice the name of the method
  def sign_up_params
    params.require(:user).permit(:display_name, :email, :password, :password_confirmation)
  end
end

In essence, you'd have to look into how your sign up form is posting the parameters to figure out how to configure strong parameters in the controller. Make sure you read on strong parameters syntax as well.

Hope it helps!

Devise and Strong Parameters