Skip to content


new applications enforce whitelist mode for mass assignment #4062

wants to merge 1 commit into from

6 participants


Previous issues #3453 and #3952, according to discussion it's ok to enable it in 4.0


@josevalim Could you give comments about it? Can it be in 4.0?

Ruby on Rails member

I have asked other Rails Core Teams for feedback. Let's wait. :) /cc @jeremy @dhh @fxn


Updated description to include both issues with discussion

Ruby on Rails member

Mixed feelings about this. +1 to secure-by-default, but geez, how did we end up here, having to list out accessible attributes for every model?

Seems like a lot of paperwork.

(If we do turn this on by default, the model generator should include attr_accessible too.)


How about #3157?


I think, during development i would like to not to have to whitelist all needed attributes. In fact, i plan to use mass assignment security only in subclasses, not in the base classes that inherit directly from ActiveRecord::Base.

Ruby on Rails member

Same feeling as @jeremy secure by default sounds good, but geez. Not sure I like this as a default. We have SQLite as default to be able to fire up an application quickly and try stuff. People can opt-in... not convinced.

Ruby on Rails member
dhh commented

Yeah, I don't like this idea either. -1.

@josevalim josevalim closed this
@xordoquy xordoquy referenced this pull request in tomchristie/django-rest-framework

Notes on migrating from DRF 2.4 to 3.0 #2375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 20, 2011
  1. @lest
This page is out of date. Refresh to see the latest.
4 railties/
@@ -1,3 +1,7 @@
+## Rails 4.0.0 (unreleased) ##
+* New applications enforce whitelist mode for mass assignment using `config.active_record.whitelist_attributes`
+ turned on by default in `config/application.rb`. *Sergey Nartimov*
## Rails 3.2.0 (unreleased) ##
* Added `config.exceptions_app` to set the exceptions application invoked by the ShowException middleware when an exception happens. Defaults to ``. *José Valim*
4 railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -54,12 +54,14 @@ class Application < Rails::Application
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
+<% unless options.skip_active_record? -%>
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
- # config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = true
+<% end -%>
<% unless options.skip_sprockets? -%>
# Enable the asset pipeline
config.assets.enabled = true
13 railties/test/application/configuration_test.rb
@@ -283,15 +283,22 @@ def index
test "sets all Active Record models to whitelist all attributes by default" do
+ require "#{app_path}/config/environment"
+ assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
+ ActiveRecord::Base.active_authorizers[:default].class
+ assert_equal [""], ActiveRecord::Base.active_authorizers[:default].to_a
+ end
+ test "sets all Active Record models to blacklist all attributes by default when whitelist is disabled" do
add_to_config <<-RUBY
- config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = false
require "#{app_path}/config/environment"
- assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
+ assert_equal ActiveModel::MassAssignmentSecurity::BlackList,
- assert_equal [""], ActiveRecord::Base.active_authorizers[:default].to_a
test "registers interceptors with ActionMailer" do
1 railties/test/application/loading_test.rb
@@ -19,6 +19,7 @@ def app
test "constants in app are autoloaded" do
app_file "app/models/post.rb", <<-MODEL
class Post < ActiveRecord::Base
+ attr_accessible :title
validates_acceptance_of :title, :accept => "omg"
10 railties/test/generators/app_generator_test.rb
@@ -202,7 +202,10 @@ def test_config_jdbc_database_when_no_option_given
def test_generator_if_skip_active_record_is_given
run_generator [destination_root, "--skip-active-record"]
assert_no_file "config/database.yml"
- assert_file "config/application.rb", /#\s+require\s+["']active_record\/railtie["']/
+ assert_file "config/application.rb" do |content|
+ assert_match(/#\s+require\s+["']active_record\/railtie["']/, content)
+ assert_no_match(/config.active_record.whitelist_attributes = true/, content)
+ end
assert_file "test/test_helper.rb" do |helper_content|
assert_no_match(/fixtures :all/, helper_content)
@@ -230,6 +233,11 @@ def test_generator_if_skip_sprockets_is_given
assert_file "test/performance/browsing_test.rb"
+ def test_inclusion_of_activerecord_whitelist_attributes
+ run_generator([destination_root])
+ assert_file "config/application.rb", /config.active_record.whitelist_attributes = true/
+ end
def test_inclusion_of_therubyrhino_under_jruby
if defined?(JRUBY_VERSION)
1 railties/test/isolation/abstract_unit.rb
@@ -261,6 +261,7 @@ def use_frameworks(arr)
:activeresource] - arr
remove_from_config "config.active_record.identity_map = true" if to_remove.include? :activerecord
+ remove_from_config "config.active_record.whitelist_attributes = true" if to_remove.include? :activerecord
$:.reject! {|path| path =~ %r'/(#{to_remove.join('|')})/' }
Something went wrong with that request. Please try again.