The params in a controller looks like a Hash, but it’s actually an instance of ActionController::Parameters, which provides several methods such as require and permit.
The require method ensures that a specific parameter is present, and if it’s not provided, the require method throws an error. It returns an instance of ActionController::Parameters for the key passed into require.
The permit method returns a copy of the parameters object, returning only the permitted keys and values. When creating a new ActiveRecord model, only the permitted attributes are passed into the model.
It looks a lot like the whitelisting that was formerly included in ActiveRecord models, but it makes more sense for it to be in the controller.