rails · sdepold · Oct 13, 2015
diff --git a/README.md b/README.md
@@ -79,6 +79,26 @@ params.require(:token)
 params.require(:post).permit(:title)
 ```
 
+## Permitted parameter branches
+
+In some scenarios it can be useful to mark a branch of the parameter hash as trusted so that a key
+is just permitted independent from whether or not it's value is a scalar or matches a specific structure.
+You can express that trust like this:
+
+```
+params = ActionController::Parameters.new({
+  :id => 'foo',
+  :custom_json => {
+    :bar => 'baz',
+    :very => 'customizable'
+  }
+})
+params.permit({:custom_json => StrongParameters::ANY})
+
+# ==>
+# {:custom_json => {:bar => 'baz', :very => 'customizable'}}
+```
+
 ## Handling of Unpermitted Keys
 
 By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.

diff --git a/lib/action_controller/parameters.rb b/lib/action_controller/parameters.rb
@@ -194,6 +194,9 @@ def hash_filter(params, filter)
           if filter[key] == []
             # Declaration {:comment_ids => []}.
             array_of_permitted_scalars_filter(params, key)
+          elsif filter[key] == ::StrongParameters::ANY
+            # Declaration {:custom_json => :*} or {:custom_json => StrongParameters::ANY}
+            params[key] = value
           else
             # Declaration {:user => :name} or {:user => [:name, :age, {:adress => ...}]}.
             params[key] = each_element(value) do |element, index|

diff --git a/lib/strong_parameters.rb b/lib/strong_parameters.rb
@@ -1,4 +1,5 @@
 require 'action_controller/parameters'
 require 'active_model/forbidden_attributes_protection'
+require 'strong_parameters/any'
 require 'strong_parameters/railtie'
 require 'strong_parameters/log_subscriber'
diff --git a/lib/strong_parameters/any.rb b/lib/strong_parameters/any.rb
@@ -0,0 +1,3 @@
+module StrongParameters
+  ANY = :*
+end
diff --git a/test/parameters_permit_test.rb b/test/parameters_permit_test.rb
@@ -346,4 +346,21 @@ def assert_filtered_out(params, key)
       assert !hash.permitted?
     end
   end
+
+  test "trusted values of nested parameters" do
+    params = ActionController::Parameters.new({
+      :resource => {
+        :id => 'foo',
+        :custom_json => {
+          :bar => 'baz',
+          :qux => {
+            :quux => 1
+          }
+        }
+      }
+    })
+    permitted = params.permit(:resource => [{ :custom_json => StrongParameters::ANY }])
+    assert_nil permitted[:resource][:id]
+    assert_not_nil permitted[:resource][:custom_json]
+  end
 end