attr_accessible
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3
- 2.1.0
- 2.2.1
- 2.3.8
- 3.0.0 (0)
- 3.0.9 (-1)
- 3.1.0 (12)
- 3.2.1 (0)
- 3.2.8 (1)
- 3.2.13 (0)
- 4.0.2
- 4.1.8
- 4.2.1
- 4.2.7
- 4.2.9
- 5.0.0.1
- 5.1.7
- 5.2.3
- 6.0.0
- 6.1.3.1
- 6.1.7.7
- 7.0.0
- 7.1.3.2
- 7.1.3.4
- What's this?
attr_accessible(*names)
public
Specifies a white list of model attributes that can be set via mass-assignment.
This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.
class Customer include ActiveModel::MassAssignmentSecurity attr_accessor :name, :credit_rating attr_accessible :name def attributes=(values) sanitize_for_mass_assignment(values).each do |k, v| send("#{k}=", v) end end end customer = Customer.new customer.attributes = { :name => "David", :credit_rating => "Excellent" } customer.name # => "David" customer.credit_rating # => nil customer.credit_rating = "Average" customer.credit_rating # => "Average"
Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes won’t provide sufficient protection.
Don't allow mass assignments on model
Replying to elfo’s comment, you can achieve it easier, just add following line to `/config/application.rb`.
config.active_record.whitelist_attributes = true
All attributes in all models will be mass assignment protected by default. You can still use attr_accessible or attr_protected to override it.
Don't allow mass assignments on model
To block all mass assignments on a model, it’s as simple as having an empty list of accessible attributes.
example
class Users < ActiveRecord::Base attr_accessible #none end
Don't mix attr_accessible and attr_protected within single class.
Don’t use constructs like this one, they won’t work:
class User < ActiveRecord::Base attr_accessible :name attr_protected :id, :password_digest, :created_at, :updated_at, as: :admin end
Instead, use the same method for all roles:
class User < ActiveRecord::Base attr_accessible :name attr_accessible :name, :login, as: :admin end
—
You may want to add following to your `/config/initializers`:
class ActiveRecord::Base class << self alias :original_inherited :inherited def inherited subclass original_inherited subclass subclass.attr_accessible subclass.attr_accessible(subclass.attribute_names.map(&:to_sym) - [:id, :created_at, :updated_at], as: :admin) end end end