Rails plugin which adds a convenient way to override attr_accessible protection.
If you are unfamiliar with the dangers of mass assignment please check these links
You can install this as a plugin into your Rails app.
script/plugin install git://github.com/ryanb/trusted-params.git
This plugin does several things.
Adds “trust” method on hash to bypass attribute protection
Disables attr_protected because you should use attr_accessible.
Requires attr_accessible be specified in every model
Adds :all as option to attr_accessible to allow all attributes to be mass-assignable
Raises an exception when assigning a protected attribute (instead of just a log message)
When using this plugin, you must call use_trusted_params and define attr_accessible in every model to allow mass assignment. You can use :all to mark all attributes as accessible.
class Comment < ActiveRecord::Base use_trusted_params attr_accessible :all end
However, only do this if you want all attributes accessible to the public. Many times you will want to limit what the general public can set.
class Comment < ActiveRecord::Base use_trusted_params attr_accessible :author_name, :email, :content end
Administrators should be able to bypass the protected attributes and set anything. This can be done with the trust method.
def create params[:comment].trust if admin? @comment = Comment.new(params[:comment]) # ... end
You can mark certain attributes as trusted for different roles
params[:comment].trust(:spam, :important) if moderator?
Then only those attributes will be allowed to bypass mass assignment.