Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Override ActiveRecord protected attributes with mass assignment
Branch: master


Adds 'sudo' methods to active record classes, allowing you to easily override protected attributes.

Project Status

This gem is no longer being maintained. With the introduction of strong parameters to Rails, the functionality this gem provides is no longer needed.


Rails: Any version of Rails 2.3.x or Rails 3.x. (Older versions of Rails may work, but have not been tested)


The gem is hosted at and can be installed with: gem install sudo_attributes

The Problem

ActiveModel provides a convenient way to make your application more secure by using "protected" attributes. Protected attributes are assigned using either attr_protected or attr_accessible. This adds security by preventing mass assignment of attributes when doing things like user.update_attributes(params[:user]). The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:

user = User.find(params[:id])
user.admin = true
user.something_else = true

or the alternative in Rails 3.1:

user.assign_attributes(params[:user], :without_protection => true)

The Solution

SudoAttributes adds a few 'sudo' methods to your models, allowing you to override the protected attributes when you know the input can be trusted.

class User < ActiveRecord::Base
  attr_protected :admin

user = User.find(params[:id])

Class Methods

Model.sudo_create - Uses same syntax as Model.create to instantiate and save an object with protected attributes

Model.sudo_create! - Similar to Model.sudo_create, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes

Model.sudo_new - Uses same syntax as to instantiate, but not save an object with protected attributes

Instance Methods

sudo_update_attributes - Uses identical syntax to update_attributes, but overrides protected attributes.

sudo_update_attributes! - Same as sudo_update_attributes, but raises ActiveRecord errors. Same as update_attributes!


Protect an admin boolean attribute

class User < ActiveRecord::Base
  attr_protected :admin

In your admin controller...

params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)

@user = User.sudo_create(params[:user])

Somewhere else in your admin controller...

params[:user] = {:admin => false, :name => "Pete"}



Copyright (c) 2011 Peter Brown. See LICENSE for details.

Something went wrong with that request. Please try again.