SelectiveProtection

Overview

While attr_proctected and attr_accessible are great for securing your Rails app, in some cases a bit more flexibility is desired. SelectiveProtection enables you to selectively allow mass assignment of normally protected attributes.

Requirements

My ProxyBlock gem:

gem install rxcfc-proxy_block

Usage

Example Classes

Note that no special setup is required

  class BlacklistProtected < ActiveRecord::Base
    attr_accessor :dangerous, :safe
    attr_protected :dangerous
  end
  
  class WhitelistProtected < ActiveRecord::Base
    attr_accessor :dangerous, :safe
    attr_accessible :safe
  end

Standard behavior is maintained

  bp = BlacklistProtected.new(:dangerous => "dangerous")
  bp.dangerous # => nil

  wp = WhitelistProtected.new(:dangerous => "dangerous")
  wp.dangerous # => nil

Proxy Form

  bp = BlacklistProtected.with_accessible(:dangerous).new(:dangerous => "dangerous")
  bp.dangerous # => "dangerous"

Block Form

  BlacklistProtected.with_accessible(:dangerous) do
    bp = BlacklistProtected.new(:dangerous => "dangerous")
    bp.dangerous # => "dangerous"
  end
  
  WhitelistProtected.with_accessible(:dangerous) do
    wp = WhitelistProtected.new(:dangerous => "dangerous")
    wp.dangerous # => "dangerous"
  end

Associations

  class Parent < ActiveRecord::Base
    has_many :children
  end

  class Child < ActiveRecord::Base
    belongs_to :parent
    attr_protected :dangerous
  end

  p = Parent.new
  
  c1 = p.children.with_accessible(:dangerous) { p.children.build(:dangerous => "dangerous") }
  c1.dangerous # => "dangerous"
  
  c2 = p.children.with_accessible(:dangerous).build(:dangerous => "dangerous")
  c2.dangerous # => "dangerous"

Allow All Attributes

Passing :all as the only parameter will allow all attributes to be mass assigned.

Credits

Author: Peter Wagenet (http://in.finitu.de)
Website: http://github.com/rxcfc/selective_protection