Ruby-on-rails 如何过滤rails中的参数?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7232554/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to filter parameters in rails?
提问by chrishomer
Rails has built in log filtering so you don't log passwords and credit cards. Works great for that but when you want to trigger a custom log (like to email) and send your own params or other data along with it, the parameters are obviously not auto-filtered. I have been digging and trying to find this in the rails source but have had no luck so far.
Rails 内置了日志过滤功能,因此您无需记录密码和信用卡信息。对此非常有用,但是当您想要触发自定义日志(例如通过电子邮件发送)并随同发送您自己的参数或其他数据时,这些参数显然不会被自动过滤。我一直在挖掘并试图在 rails 源代码中找到它,但到目前为止还没有运气。
I have configured rails to filter parameters as follows and it works properly for keeping the data out of rails logs:
我已将 rails 配置为过滤参数,如下所示,它可以正常工作以将数据保留在 rails 日志之外:
config.filter_parameters += [:password, :password_confirmation, :credit_card]
How would you filter sensitive data from the params hash before dumping it into an email, api call or custom (non-rails) log?
在将敏感数据转储到电子邮件、api 调用或自定义(非 Rails)日志之前,您将如何从 params 哈希中过滤敏感数据?
采纳答案by tadman
You can always use the exceptmethod:
您始终可以使用以下except方法:
params.except(:password, :password_confirmation, :credit_card)
That will exclude them from the listing. To "filter" them you could try this approach.
这会将它们从列表中排除。要“过滤”它们,您可以尝试这种方法。
回答by davegson
Rails 4+
导轨 4+
Sidenote for filtering the log in Rails 4+: The config.filter_parametershas been moved from application.rb to it's own initializer.
在 Rails 4+ 中过滤日志的旁注:config.filter_parameters已从 application.rb 移动到它自己的初始化程序。
config/initializers/filter_parameter_logging.rb
配置/初始化程序/filter_parameter_logging.rb
Rails.application.config.filter_parameters += [:password]
回答by chrishomer
tadman answered correctly but here is some additional info:
tadman 回答正确,但这里有一些附加信息:
In application.rb
在 application.rb 中
config.filter_parameters += [:password, :password_confirmation, :credit_card]
Wherever you are doing custom logging:
无论您在哪里进行自定义日志记录:
f = ActionDispatch::Http::ParameterFilter.new(Rails.application.config.filter_parameters)
f.filter :order => {:credit_card => "4111111111111111"}
=> {:order=>{:credit_card=>"[FILTERED]"}}
回答by Lester Celestial
If you are inside a rails controller method, why not just call request.filtered_parameters?
如果您在 rails 控制器方法中,为什么不直接调用request.filtered_parameters?
It is always a good choice to use what is already provided. Cheers!
使用已经提供的东西总是一个不错的选择。干杯!
回答by Benjamin Crouzier
Just to add on @tadman answer:
只是添加@tadman 答案:
When using except, beware that it will remove only top-level keys of your parameters, eg:
使用时except,请注意它只会删除参数的顶级键,例如:
params = {
search_query: 'foobar',
secret_key1: 'SENSITIVE_KEY_1',
auth_info: {secret_key_2: 'SENSITIVE_KEY2'}
}
params.except(:secret_key1, :secret_key2)
=> {:search_query=>"foobar", :auth_info=>{:secret_key_2=>"SENSITIVE_KEY2"}}
Using request.filtered_parameterswill filter both of those keys if they are in config/application.rb
request.filtered_parameters如果它们在 config/application.rb 中,Using将过滤这两个键
config.filter_parameters += [:password]
