Cancan strong parametersCancan and Strong Parameters does not play nice together straight out of the box. However, liuckily it is not hard to get them to do so.

Strong Parameters

The new Strong Parameters gem is included by default in Rails 4, and available as an optional gem for Rails 3 here. Strong Parameters is a big step forward from the now-all-but-deprecated attr_accessible method. (For more information on the issues with attr_accessible, see this Railscast.)

The main benefit of Strong Parameters is that they are built with controller actions in mind, This means that Rails now recognises that different controllers and people should have access to different fields on our models.

CanCan and ActiveModel::ForbiddenAttributes


Here comes, then, the problem: CanCan’s load_and_authorize_resource method clashes with Strong Parameters, because of this line in CanCan:

resource = || {})

There is nothing wrong with this line – it is a wonderful line, that, unfortunately, clashes with Strong Parameters. This is because it uses the [Model Class].new, without using permitted parameters. Therefore, you get an ActiveModel::ForbiddenAttributes error right at the beginning of you controller action.
Luckily, there is a solution:

The solution – CanCanCan

The solution to the clash between CanCan and Strong Parameters comes in the form of the wonderful community-driven continuation of Ryan’s amazing work, in the form of the Gem CanCanCan, which has the same public api as CanCan, and among other things adds the possibility of adding a private method, defining permitted params, like so:


  def create_params
    params.permit(:my_awesome, :parameters, :here)

By naming convention, this method will be used for the create controller action.

Read more on this and other ways of playing nice with Strong Parameters on the CanCanCan Wiki here.

Workarounds for good old CanCan

If you do not have the option of switching to CanCanCan, some other workarounds are described here