attr_accessible
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3
- 2.1.0
- 2.2.1
- 2.3.8
- 3.0.0 (0)
- 3.0.9 (-1)
- 3.1.0 (12)
- 3.2.1 (0)
- 3.2.8 (1)
- 3.2.13 (0)
- 4.0.2
- 4.1.8
- 4.2.1
- 4.2.7
- 4.2.9
- 5.0.0.1
- 5.1.7
- 5.2.3
- 6.0.0
- 6.1.3.1
- 6.1.7.7
- 7.0.0
- 7.1.3.2
- 7.1.3.4
- What's this?
attr_accessible(*args)
public
Specifies a white list of model attributes that can be set via mass-assignment.
Like attr_protected, a role for the attributes is optional, if no role is provided then :default is used. A role can be defined by using the :as option.
This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.
class Customer include ActiveModel::MassAssignmentSecurity attr_accessor :name, :credit_rating attr_accessible :name attr_accessible :name, :credit_rating, :as => :admin def assign_attributes(values, options = {}) sanitize_for_mass_assignment(values, options[:as]).each do |k, v| send("#{k}=", v) end end end
When using the :default role:
customer = Customer.new customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default) customer.name # => "David" customer.credit_rating # => nil customer.credit_rating = "Average" customer.credit_rating # => "Average"
And using the :admin role:
customer = Customer.new customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin) customer.name # => "David" customer.credit_rating # => "Excellent"
Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes provides basically the same functionality, but it makes a bit tricky to deal with nested attributes.
Don't allow mass assignments on model
Replying to elfo’s comment, you can achieve it easier, just add following line to `/config/application.rb`.
config.active_record.whitelist_attributes = true
All attributes in all models will be mass assignment protected by default. You can still use attr_accessible or attr_protected to override it.
Don't allow mass assignments on model
To block all mass assignments on a model, it’s as simple as having an empty list of accessible attributes.
example
class Users < ActiveRecord::Base attr_accessible #none end
Don't mix attr_accessible and attr_protected within single class.
Don’t use constructs like this one, they won’t work:
class User < ActiveRecord::Base attr_accessible :name attr_protected :id, :password_digest, :created_at, :updated_at, as: :admin end
Instead, use the same method for all roles:
class User < ActiveRecord::Base attr_accessible :name attr_accessible :name, :login, as: :admin end
—
You may want to add following to your `/config/initializers`:
class ActiveRecord::Base class << self alias :original_inherited :inherited def inherited subclass original_inherited subclass subclass.attr_accessible subclass.attr_accessible(subclass.attribute_names.map(&:to_sym) - [:id, :created_at, :updated_at], as: :admin) end end end