method

attr_accessible

Importance_3
v3.0.0 - Show latest stable - 3 notes - Class: ActiveModel::MassAssignmentSecurity::ClassMethods
attr_accessible(*names) public

Specifies a white list of model attributes that can be set via mass-assignment.

This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.

  class Customer
    include ActiveModel::MassAssignmentSecurity

    attr_accessor :name, :credit_rating
    attr_accessible :name

    def attributes=(values)
      sanitize_for_mass_assignment(values).each do |k, v|
        send("#{k}=", v)
      end
    end
  end

  customer = Customer.new
  customer.attributes = { :name => "David", :credit_rating => "Excellent" }
  customer.name          # => "David"
  customer.credit_rating # => nil

  customer.credit_rating = "Average"
  customer.credit_rating # => "Average"

Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes won’t provide sufficient protection.

Show source
Register or log in to add new notes.
September 28, 2012
1 thank

Don't allow mass assignments on model

Replying to elfo’s comment, you can achieve it easier, just add following line to `/config/application.rb`.

config.active_record.whitelist_attributes = true

All attributes in all models will be mass assignment protected by default. You can still use attr_accessible or attr_protected to override it.

September 5, 2012 - (>= v3.0.0)
0 thanks

Don't allow mass assignments on model

To block all mass assignments on a model, it’s as simple as having an empty list of accessible attributes.

example
class Users < ActiveRecord::Base
   attr_accessible #none
end
September 28, 2012 - (>= v3.0.0)
0 thanks

Don't mix attr_accessible and attr_protected within single class.

Don’t use constructs like this one, they won’t work:

class User < ActiveRecord::Base
  attr_accessible :name
  attr_protected :id, :password_digest, :created_at, :updated_at, as: :admin
end

Instead, use the same method for all roles:

class User < ActiveRecord::Base
  attr_accessible :name
  attr_accessible :name, :login, as: :admin
end

You may want to add following to your `/config/initializers`:

class ActiveRecord::Base
  class << self
    alias :original_inherited :inherited
    def inherited subclass
      original_inherited subclass
      subclass.attr_accessible
      subclass.attr_accessible(subclass.attribute_names.map(&:to_sym) - [:id, :created_at, :updated_at], as: :admin)
    end
  end
end