/ Ruby on Rails
/
method

attr_accessible

rails latest stable - Class: ActiveModel::MassAssignmentSecurity::ClassMethods

Method deprecated or moved

This method is deprecated or moved on the latest stable version. The last existing version (v3.2.13) is shown here.

attr_accessible(*args)
public

Specifies a white list of model attributes that can be set via mass-assignment.

Like attr_protected, a role for the attributes is optional, if no role is provided then :default is used. A role can be defined by using the :as option.

This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.

class Customer
  include ActiveModel::MassAssignmentSecurity

  attr_accessor :name, :credit_rating

  attr_accessible :name
  attr_accessible :name, :credit_rating, :as => :admin

  def assign_attributes(values, options = {})
    sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
      send("#{k}=", v)
    end
  end
end

When using the :default role:

customer = Customer.new
customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default)
customer.name          # => "David"
customer.credit_rating # => nil

customer.credit_rating = "Average"
customer.credit_rating # => "Average"

And using the :admin role:

customer = Customer.new
customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin)
customer.name          # => "David"
customer.credit_rating # => "Excellent"

Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes provides basically the same functionality, but it makes a bit tricky to deal with nested attributes.

3Notes

Don't allow mass assignments on model

skalee · Sep 28, 20121 thank

Replying to elfo's comment, you can achieve it easier, just add following line to /config/application.rb. config.active_record.whitelist_attributes = true All attributes in all models will be mass assignment protected by default. You can still use attr_accessible or attr_protected to override it.

Don't allow mass assignments on model

elfo · Sep 5, 2012

To block all mass assignments on a model, it's as simple as having an empty list of accessible attributes. ===== example

class Users < ActiveRecord::Base
 attr_accessible #none
end

Don't mix attr_accessible and attr_protected within single class.

skalee · Sep 28, 2012

Don't use constructs like this one, they won't work:

class User < ActiveRecord::Base
attr_accessible :name
attr_protected :id, :password_digest, :created_at, :updated_at, as: :admin
end

Instead, use the same method for all roles:

class User < ActiveRecord::Base
attr_accessible :name
attr_accessible :name, :login, as: :admin
end

You may want to add following to your /config/initializers:

class ActiveRecord::Base

class << self
  alias :original_inherited :inherited

  def inherited subclass
    original_inherited subclass
    subclass.attr_accessible
    subclass.attr_accessible(subclass.attribute_names.map(&:to_sym) - [:id, :created_at, :updated_at], as: :admin)
  end
end

end