Ruby on Rails latest stable (v5.2.3) - 3 notes - Class: ActiveModel::MassAssignmentSecurity::ClassMethods

Method deprecated or moved

This method is deprecated or moved on the latest stable version. The last existing version (v3.2.13) is shown here.

attr_accessible(*args) public

Specifies a white list of model attributes that can be set via mass-assignment.

Like attr_protected, a role for the attributes is optional, if no role is provided then :default is used. A role can be defined by using the :as option.

This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.

class Customer
  include ActiveModel::MassAssignmentSecurity

  attr_accessor :name, :credit_rating

  attr_accessible :name
  attr_accessible :name, :credit_rating, :as => :admin

  def assign_attributes(values, options = {})
    sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
      send("#{k}=", v)

When using the :default role:

customer = Customer.new
customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default)
customer.name          # => "David"
customer.credit_rating # => nil

customer.credit_rating = "Average"
customer.credit_rating # => "Average"

And using the :admin role:

customer = Customer.new
customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin)
customer.name          # => "David"
customer.credit_rating # => "Excellent"

Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes provides basically the same functionality, but it makes a bit tricky to deal with nested attributes.

Show source
Register or log in to add new notes.
September 28, 2012
1 thank

Don't allow mass assignments on model

Replying to elfo’s comment, you can achieve it easier, just add following line to `/config/application.rb`.

config.active_record.whitelist_attributes = true

All attributes in all models will be mass assignment protected by default. You can still use attr_accessible or attr_protected to override it.

September 5, 2012 - (>= v3.0.0)
0 thanks

Don't allow mass assignments on model

To block all mass assignments on a model, it’s as simple as having an empty list of accessible attributes.

class Users < ActiveRecord::Base
   attr_accessible #none
September 28, 2012 - (>= v3.0.0)
0 thanks

Don't mix attr_accessible and attr_protected within single class.

Don’t use constructs like this one, they won’t work:

class User < ActiveRecord::Base
  attr_accessible :name
  attr_protected :id, :password_digest, :created_at, :updated_at, as: :admin

Instead, use the same method for all roles:

class User < ActiveRecord::Base
  attr_accessible :name
  attr_accessible :name, :login, as: :admin

You may want to add following to your `/config/initializers`:

class ActiveRecord::Base
  class << self
    alias :original_inherited :inherited
    def inherited subclass
      original_inherited subclass
      subclass.attr_accessible(subclass.attribute_names.map(&:to_sym) - [:id, :created_at, :updated_at], as: :admin)