Skip to content
a better mass assignment method for ActiveRecord that allows contextual whitelists of assignable attributes
Find file
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



Copyright © 2009 Lance Ivy, released under the MIT license

From initial discussion at

What It Is

A robust mass assignment method with a small and obvious syntax.

The Traditional Approach

The normal mass assignment protection comes from attr_protected and attr_accessible. There are a few problems with this approach:

  • Often never implemented, leaving a wide-open system. Rails blogs are full of dire warnings about forgetting your attr_protected.
  • Once implemented, easy to forget when adding new attributes, leading to bugs (in an attr_accessible system) or security holes (in an attr_protected system).
  • Restricts coding syntax. You can’t easily use update_attributes() or attributes= because your whitelist/blacklist gets in your own way.
  • Not contextual. The list of allowed attributes can’t change to accomodate different user permissions or situations.

The MassAssignment Approach

This plugin’s solution is to let you specify an obvious and explicit list of allowed attributes when you mass assign attributes.

  • The list of allowed attributes is in your controller at calltime, so it’s easier to remember and update (it’s not a hidden, magical system).
  • The list of allowed attributes is optional, so it doesn’t get in your way. You can use update_attributes() and attributes= for your own code again.
  • Assignment permissions are enforced by the controller, where permissions belong. You can evaluate the current user or current situation and write the whitelist on the fly.

And as a bonus, permission plugins have a much easier time of things. The list of allowed attributes may be pulled from a permissions table without any awkward User.current class or thread variables.

For those who would still like attr_protected- and attr_accessible-like functionality, this plugin offers mass assignment policies. You may choose to a default mass assignment protection as open or closed as you like using familiar :only/:except syntax. But you may also specify regular expressions such as /_id$/ to reject all id fields by default, and since these policies inherit, you may set them globally on ActiveRecord::Base. See the examples below.


Let’s take a very plausible situation where you would want three separate lists of allowed attributes. You have users that sign up to your application. But after they have signed up, they may not change their username. Admins, however, may manually change a username as needed.

  class UsersController < ApplicationController
    def create
      @user =
      # during signup a user may pick a username
      @user.assign(params[:user], [:username, :email, :password, :password_confirmation])!

    def update
      @user = User.find(params[:id])
      if admin? # admins may edit username and email but not password
        @user.assign(params[:user], [:username, :email])
      else      # username isn't editable
        @user.assign(params[:user], [:email, :password, :password_confirmation])

If you don’t always want to set attribute lists, you may use the mass_assignment_policy API to configure defaults whitelists or blacklists.

  class User < ActiveRecord::Base
    # The boring usage. You're better off passing attributes to assign() in the controller.
    mass_assignment_policy :only => [:email, :username]

    # More interesting. No id fields!
    mass_assignment_policy :except => /_id$/

  # Hardcore. Disables mass assignment globally unless overridden!
  ActiveRecord::Base.mass_assignment_policy :except => :all

Note that mass_assignment_policy only applies to usage of methods supplied in this plugin.

Nested Assignment

Nested assignment is supported by passing hashes and arrays for the whitelist.

  class Pirate < ActiveRecord::Base
    accepts_nested_attributes_for :ships

  class PiratesController < ApplicationController
    def update
      @pirate = Pirate.find(params[:id])
      @pirate.assign(params[:pirate], [:name, :eyepatch, {:ships_attributes => [:id, :_destroy, :name, :cannons, :capacity]}])!

As you can see, the punctuation gets messy. I’m interested in better options.

Deep Assignment

Sometimes nested assignment isn’t completely appropriate but you still need to assign attributes to associated objects. Try the block syntax:

  class ShipsController < ApplicationController
    def update
      @ship = Ship.find(params[:id])
      @ship.assign(params[:ship], [:name, :cannons, :capacity]) do |ship_params|
        @ship.pirate.assign(ship_params[:pirate], [:name, :eyepatch])

The major benefit here is that the block won’t yield unless the params exist, so you don’t need to check ‘if params[:ship] && params[:ship][:pirate]’.

Something went wrong with that request. Please try again.