attr_protected
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3
- 2.1.0
- 2.2.1
- 2.3.8
- 3.0.0 (0)
- 3.0.9 (-1)
- 3.1.0 (13)
- 3.2.1 (0)
- 3.2.8 (1)
- 3.2.13 (0)
- 4.0.2
- 4.1.8
- 4.2.1
- 4.2.7
- 4.2.9
- 5.0.0.1
- 5.1.7
- 5.2.3
- 6.0.0
- 6.1.3.1
- 6.1.7.7
- 7.0.0
- 7.1.3.2
- 7.1.3.4
- What's this?
attr_protected(*args)
public
Attributes named in this macro are protected from mass-assignment whenever attributes are sanitized before assignment. A role for the attributes is optional, if no role is provided then :default is used. A role can be defined by using the :as option.
Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. Example:
class Customer include ActiveModel::MassAssignmentSecurity attr_accessor :name, :credit_rating attr_protected :credit_rating, :last_login attr_protected :last_login, :as => :admin def assign_attributes(values, options = {}) sanitize_for_mass_assignment(values, options[:as]).each do |k, v| send("#{k}=", v) end end end
When using the :default role :
customer = Customer.new customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default) customer.name # => "David" customer.credit_rating # => nil customer.last_login # => nil customer.credit_rating = "Average" customer.credit_rating # => "Average"
And using the :admin role :
customer = Customer.new customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin) customer.name # => "David" customer.credit_rating # => "Excellent" customer.last_login # => nil
To start from an all-closed default and enable attributes as needed, have a look at attr_accessible.
Note that using Hash#except or Hash#slice in place of attr_protected to sanitize attributes won’t provide sufficient protection.