Flowdock
method

attr_protected

Importance_2
v3.0.0 - Show latest stable - 0 notes - Class: ActiveModel::MassAssignmentSecurity::ClassMethods
attr_protected(*names) public

Attributes named in this macro are protected from mass-assignment whenever attributes are sanitized before assignment.

Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.

Example

  class Customer
    include ActiveModel::MassAssignmentSecurity

    attr_accessor :name, :credit_rating
    attr_protected :credit_rating

    def attributes=(values)
      sanitize_for_mass_assignment(values).each do |k, v|
        send("#{k}=", v)
      end
    end
  end

  customer = Customer.new
  customer.attributes = { "name" => "David", "credit_rating" => "Excellent" }
  customer.name          # => "David"
  customer.credit_rating # => nil

  customer.credit_rating = "Average"
  customer.credit_rating # => "Average"

To start from an all-closed default and enable attributes as needed, have a look at attr_accessible.

Note that using Hash#except or Hash#slice in place of attr_protected to sanitize attributes won’t provide sufficient protection.

Show source
Register or log in to add new notes.