method

attr_accessible

v3.0.9 - Show latest stable - Class: ActiveModel::MassAssignmentSecurity::ClassMethods

attr_accessible(*names)

public

Specifies a white list of model attributes that can be set via mass-assignment.

This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.

class Customer
  include ActiveModel::MassAssignmentSecurity

  attr_accessor :name, :credit_rating
  attr_accessible :name

  def attributes=(values)
    sanitize_for_mass_assignment(values).each do |k, v|
      send("#{k}=", v)
    end
  end
end

customer = Customer.new
customer.attributes = { :name => "David", :credit_rating => "Excellent" }
customer.name          # => "David"
customer.credit_rating # => nil

customer.credit_rating = "Average"
customer.credit_rating # => "Average"

Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes won’t provide sufficient protection.

# File activemodel/lib/active_model/mass_assignment_security.rb, line 126
      def attr_accessible(*names)
        self._accessible_attributes = self.accessible_attributes + names
        self._active_authorizer = self._accessible_attributes
      end

3Notes

Don't allow mass assignments on model

skalee · Sep 28, 20121 thank

Replying to elfo's comment, you can achieve it easier, just add following line to /config/application.rb. config.active_record.whitelist_attributes = true All attributes in all models will be mass assignment protected by default. You can still use attr_accessible or attr_protected to override it.

Don't allow mass assignments on model

elfo · Sep 5, 2012

To block all mass assignments on a model, it's as simple as having an empty list of accessible attributes. ===== example

class Users < ActiveRecord::Base
 attr_accessible #none
end

Don't mix attr_accessible and attr_protected within single class.

skalee · Sep 28, 2012

Don't use constructs like this one, they won't work:

class User < ActiveRecord::Base
attr_accessible :name
attr_protected :id, :password_digest, :created_at, :updated_at, as: :admin
end

Instead, use the same method for all roles:

class User < ActiveRecord::Base
attr_accessible :name
attr_accessible :name, :login, as: :admin
end

You may want to add following to your /config/initializers:

class ActiveRecord::Base

class << self
  alias :original_inherited :inherited

  def inherited subclass
    original_inherited subclass
    subclass.attr_accessible
    subclass.attr_accessible(subclass.attribute_names.map(&:to_sym) - [:id, :created_at, :updated_at], as: :admin)
  end
end

end

attr_accessible

3Notes

Don't allow mass assignments on model

Don't allow mass assignments on model

Don't mix attr_accessible and attr_protected within single class.

Related methods