Rails 7 provides context when logging unpermitted parameters

Jun 16, 2021
authorImg Apoorv Tiwari
authorImg Apoorv Tiwari

Apoorv is a Ruby on Rails and React Developer with 3 years of experience.

 1 minute read

Rails 7 expands the payload of unpermitted_parameters.action_controller to allow developers to know which controller and action received the unpermitted parameters.

Before

In the earlier version of Rails, if unpermitted parameters are found in a request then the logs only provide information about the unpermitted keys and do not provide enough information for developers to understand which controller and action received the unpermitted parameters.

Consider the following code, where we have a User with the name, email, and role attributes and, we permit only name and email attributes.

request_params = { user: { name: "Francesco", email: "[email protected]", role: "admin" } }

params = ActionController::Parameters.new(request_params)
params.permit(user: [:name, :email])

# Unpermitted parameter: :role

We can see that the log only provided the information about the unpermitted key and not any information regarding the controller and action which received the unpermitted parameters.

After

Rails 7 allows callers to specify a context with the controller, action, request, and param keys and this context is included in the logging payload.

It modifies the ActionController::Parameters to accept context as a parameter.

context = { controller: self.class.name, action: action_name }
request_params = { user: { name: "Francesco", email: "[email protected]", role: "admin" } }

params = ActionController::Parameters.new(request_params, context)
params.permit(user: [:name, :email])

# Unpermitted parameter: :role. Context: { controller: UsersController, action: create }

We can see that along with the unpermitted parameter, context is also logged containing the controller and action keys. In case of no context, an empty context will be included in the payload.

request_params = { user: { name: "Francesco", email: "[email protected]", role: "admin" } }

params = ActionController::Parameters.new(request_params)
params.permit(user: [:name, :email])

# Unpermitted parameter: :role. Context: { }

Note: This change expects the caller to provide logging context.

To know more about this change, refer to this PR.

Need help on your Ruby on Rails or React project?

BOOK A CALL

If you enjoyed this post, you might also like:

Lexxy - The next generation rich text editor for Rails

October 14, 2025

Rails Decouples Trix From Action Text Into action_text-trix gem

September 12, 2025

Rails 8 does not include redis by default in the dev container.

July 11, 2025

Join Our Newsletter