Simple dynamic configuration of mass-assignment security (attr_protected/attr_accessible)
Switch branches/tags
Nothing to show
Latest commit 6027e16 Jan 5, 2014 @attack Info: no longer maintained
Failed to load latest commit information.
lib check for _exposures Jul 13, 2011
spec add directory for test db Jun 20, 2011
.gitignore add directory for test db Jun 20, 2011
Gemfile Initial commit, bundler generated files Jun 18, 2011
Rakefile get initial version working, prep for 0.1 release, tested with rspec Jun 20, 2011
expose.gemspec update description Jun 20, 2011


This gem is no longer maintained.


Expose allows you to dynamically adjust the 'attr_accessible' or 'attr_protected' of a model. This is only for managing mass-assignment security, and not overall security.


The following would let you mass_assign :sometimes_important when the :state
is 'new' or 'pending'.

class Account < ActiveRecord::Base
  include Expose::Model

  # name:string
  # sometimes_important:string
  # state:string ... example [:new, :pending, :closed]

  expose :sometimes_important,
    :if => { |account| [:new,:pending].include?(account.state) }

  # same result as line above (just using)
  expose :sometimes_important, :state => [:new, :pending]

  # similar to line above
  expose :sometimes_important,
    :unless => { |account| [:closed].include?(account.state) }

  # same as line above
  expose :sometimes_important, :not_state => :closed

  # using whitelist strategy
  attr_accessible :name

  # OR, using blacklist strategy
  # attr_protected :sometimes_important 



This gem has only been tested with Rails 3.1.rc3, but should work with Rails 3.X. It only uses the hook :mass_assignment_authorizer.


This gem is in the early stages of development, so use at your own risk.


- add 'protect' version, which does the opposite of 'expose'
- maybe disable attr_protected.  Using this gem shows an interest in
  mass-assignment security.  Why not ensure use of a whitelist only
- add controller version (so that session data can be used, ie: role of
  logged in user)
- add better error handling and option checking, maybe add some logging
- do not require ActiveRecord, but rather ActiveModel
- not require adding 'include Expose::Model'.  When I do, the class variable
  '_exposures' is shared by all subclasses of ActiveRecord::Base, and each
  declared model then sees the same '_exposures'.


Install the gem:

gem install expose

Or add Expose to your Gemfile and bundle it up:

gem 'expose'


'expose' handles a series of options. Those are:

  • :if * - When true, the attribute will be added to whitelist.

  • :unless * - When false, the attribute will be added to whitelist.

  • :state * - When in this state, the attribute will be added to whitelist.

  • :not_state * - When not in this state, the attribute will be added to whitelist.



  • you


Bugs and Feedback

If you discover any bugs or want to drop a line, feel free to create an issue on GitHub.

MIT License. Copyright 2011 Mark G.