Adds support for adding multiple sets of attr_accessible attributes, and for specifying accessible attributes in associated models for nested forms.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



mass_assignment_fu is a Rails ActiveRecord plugin that allows you to protect attributes from mass assignment like attr_accessible, but with multiple sets of rules and the ability to set rules for nested models. This allows for role or application state based protection for your models.

You can use mass_assignment_fu in conjunction with Rails' attr_accessible and attr_protected. Attributes that are attr_accessible are considered globally writable, and mass_assignment_fu will not filter assignments to them. Using attr_protected has no effect when using mass_assignment_fu to update models since everything is protected by default, unless you specify that it should be accessible, in which case it overrides attr_protected. Keep in mind that attr_accessible_for rules are only enforced when using create_for and update_attributes_for, and not when using create, update, update_attributes, or any other rails builtin methods. attr_protected is still useful for protecting the model against mass assignment from Rails' update_attributes.

Quick Start


class Student < ActiveRecord::Base
  has_many :grades
  has_one :profile

  # Can update full_name, preferred_name, and only the override_letter_grade attribute of the grades
  attr_accessible_for :administrator, [:full_name, :preferred_name, { :grades_attributes => [:override_letter_grade] }]

  # Can update any profile attribute or delete the profile.
  attr_accessible_for :student, [:preferred_name, { :profile_attributes => :all }]

  # Delegates to Grade's attr_accessible_for :teacher
  attr_accessible_for :teacher, :grades_attributes

class Grade < ActiveRecord::Base
  belongs_to :student

  attr_accessible_for :teacher, [:class_id, :honors, :number_grade, :letter_grade]



class StudentsController << ActionController::Base
  def update
    @student = Student.find params[:id]
    @student.update_for current_user.role, params[:student]


Silly mass update form example
<% form_for @student do |f| %>
  Full Name: <%= f.text_field :full_name %>
  Preferred Name: <%= f.text_field :preferred_name %>

  <% fields_for @student.grades do |gf| %>
  <% end %>

  <% fields_for @student.profile do |pf| %>
  <% end %>
<% end %>

The params for this form might look something like: { 'student' => { 'full_name' => 'Joey Baker', 'preferred_name' => 'Joey', 'grades_attributes' => { '1' => { 'class_id' => '5035', 'letter_grade' => 'A' } }, 'profile_attributes' => { 'favorite_sport' => 'quiddich' } } }


In your models:

attr_accessible_for(fieldset_name, field_list)

  • fieldset_name: a name for the set of updatable fields
  • field_list: an array of attributes and associations that can be updated. Associations can take the form:
    • :foo - Delegate which fields can be updated on the foo association to the associated Foo model. Everything is restricted that is not explicitly allowed with attr_accessible or attr_accessible_for. In the case of attr_accessible_for, it checks for a fieldset with the same name.
    • {:foo => :all} - Make all attributes on Foo updatable, include "_destroy".
    • {:foo => [:attr1, :attr2]} - Make the given list of attributes on Foo updatable.
    • {:foo => [:attr1, :attr2, {:bar => :all}]} - Foo's associations can also be updated.

In your controllers, update the model using the filters specified in your model with attr_accessible_for.

update_for(fieldset_name, attributes_hash)
update_for!(fieldset_name, attributes_hash)
create_for(fieldset_name, attributes_hash)
create_for!(fieldset_name, attributes_hash)

You can also pass in an array of allowed fields instead of a rule name:

update_for(field_list, attributes_hash)

Copyright (c) 2010 SciMed Solutions, released under the MIT license