I've added Devise to my Rails 4 application, and successfully added username etc. to my User model. Furthermore, I'm able to store those fields using the lazy way™, i.e.

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

    def configure_permitted_parameters
      devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:email, :password, :password_confirmation, :firstname, :middlename, :lastname) } 
    end
end

However, I tried

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:email, :password, :password_confirmation, :firstname, :middlename, :lastname) }
  devise_parameter_sanitizer.for(:edit) { |u| u.permit(:email, :password, :password_confirmation, :firstname, :middlename, :lastname) }
end

but that didn't work quite as expected (username not being stored when invoked by the edit action). Is there something else I need to do in order to get that to work? Thanks!

Once again, it was a matter of reading the manual ...

The magic word is :account_update and thus the working version becomes

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:email, :password, :password_confirmation, :firstname, :middlename, :lastname, :nickname) }
  devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, :password_confirmation, :current_password, :firstname, :middlename, :lastname, :nickname) }
end

Note that if you're in the business of signing in using non-standard parameters, the word you're looking for is :sign_in (as expected).

For Devise 4.1+

class ApplicationController < ActionController::Base    
  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, :email])
    devise_parameter_sanitizer.permit(:account_update, keys: [:first_name, :last_name, :phone, :email, bank_attributes: [:bank_name, :bank_account]])
  end
end

The .for method is deprecated, now we use .permit

The first arg is the action name. :sign_up is for creating new Devise resources (such as users), and :account_update is for editing/updating the resource.

The second arg, :keys contains an array of the parameters you allow.

If you want nested_attributes, there is an example in :account_update, you put a separate array in with the key being <object>_attributes.

@conciliator is correct about the magic word is :account_update but here's the link to the documentation he alluded to http://rubydoc.info/github/plataformatec/devise/ Search for 'devise_parameter_sanitizer' and you'll see the following:

There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:

sign_in (Devise::SessionsController#new) - Permits only the authentication keys (like email)
sign_up (Devise::RegistrationsController#create) - Permits authentication keys plus password and password_confirmation
account_update (Devise::RegistrationsController#update) - Permits authentication keys plus password, password_confirmation and current_password

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email,   :password, :password_confirmation, :current_password, :firstname, :middlename, :lastname, :nickname) }
end