dgmstuart
commented
2 years ago Thanks for the comment. The way Rails allows you to control attributes is to specify the allowed params rather than deny specific params, since this is a good security practice.
To be honest the permitted_attributes helper method is probably overstretching the scope of what Pundit should be responsible for, and if anything we'd consider removing that feature.
As an engineer I would like to disallow the update on specific attributes. Instead of allowing most of my attributes I would like to say, you can update all, but not this one.
For Example, if I have a model where the update has no restriction, but the model gets a new relation which should not be allowed to be updated, I need to allow all and remove this one attribute.