Strong parameters has now been merged into master for the katello project. In order to get strong parameters in Rails 3.2, we're using the Rails' strong_parameters gem. There's also some temporary code that will go away when we upgrade to Rails 4.
Right now, we're just using strong parameters in the V2 controllers. We have a before_filter in the other controllers that disable strong_parameters. With strong parameters in place, we'll NOT be using param_rules anymore in the V2 code (although theoretically we could still use param_rules in addition to strong parameters).
What strong_parameters does is it forbids the use of mass assignment with parameters unless those parameters have been explicitly permitted. How do you permit parameters? Here's an example where the name attribute on a user object is permitted:
@user.update_attributes!(params.permit(:name))
We're using wrap_parameters though so it would be something more like this:
@user.update_attributes(params[:user].permit(:name))
The :user node is automatically created by wrap_parameters. One thing to note though is that wrap_parameters doesn't run in tests so you need to send {:user => {:name => "David"}} to the controller in the minitest.
Another feature of strong_parameters is the ability to require parameters. This can be done by calling 'params.require(:name)' which would require a :name attribute in the call. For more info about strong_parameters and its other features, see the README at https://github.com/rails/strong_parameters/. There's also information there about permitting different types, etc like nested params.
Let me know if you have any further questions. To see some katello examples, look at api/v2/products_controller.rb or api/v2/environments_controller.rb.
David