Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


new applications enforce whitelist mode for mass assignment #4062

wants to merge 1 commit into from

6 participants

Sergey Nartimov José Valim Jeremy Kemper Alexey Muranov Xavier Noria David Heinemeier Hansson
Sergey Nartimov

Previous issues #3453 and #3952, according to discussion it's ok to enable it in 4.0

Sergey Nartimov

@josevalim Could you give comments about it? Can it be in 4.0?

José Valim

I have asked other Rails Core Teams for feedback. Let's wait. :) /cc @jeremy @dhh @fxn

Sergey Nartimov

Updated description to include both issues with discussion

Jeremy Kemper

Mixed feelings about this. +1 to secure-by-default, but geez, how did we end up here, having to list out accessible attributes for every model?

Seems like a lot of paperwork.

(If we do turn this on by default, the model generator should include attr_accessible too.)

Alexey Muranov

How about #3157?

Alexey Muranov

I think, during development i would like to not to have to whitelist all needed attributes. In fact, i plan to use mass assignment security only in subclasses, not in the base classes that inherit directly from ActiveRecord::Base.

Xavier Noria

Same feeling as @jeremy secure by default sounds good, but geez. Not sure I like this as a default. We have SQLite as default to be able to fire up an application quickly and try stuff. People can opt-in... not convinced.

David Heinemeier Hansson
dhh commented

Yeah, I don't like this idea either. -1.

José Valim josevalim closed this
Xavier Ordoquy xordoquy referenced this pull request in tomchristie/django-rest-framework

Notes on migrating from DRF 2.4 to 3.0 #2375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 20, 2011
  1. Sergey Nartimov
This page is out of date. Refresh to see the latest.
4 railties/
@@ -1,3 +1,7 @@
+## Rails 4.0.0 (unreleased) ##
+* New applications enforce whitelist mode for mass assignment using `config.active_record.whitelist_attributes`
+ turned on by default in `config/application.rb`. *Sergey Nartimov*
## Rails 3.2.0 (unreleased) ##
* Added `config.exceptions_app` to set the exceptions application invoked by the ShowException middleware when an exception happens. Defaults to ``. *José Valim*
4 railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -54,12 +54,14 @@ class Application < Rails::Application
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
+<% unless options.skip_active_record? -%>
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
- # config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = true
+<% end -%>
<% unless options.skip_sprockets? -%>
# Enable the asset pipeline
config.assets.enabled = true
13 railties/test/application/configuration_test.rb
@@ -283,15 +283,22 @@ def index
test "sets all Active Record models to whitelist all attributes by default" do
+ require "#{app_path}/config/environment"
+ assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
+ ActiveRecord::Base.active_authorizers[:default].class
+ assert_equal [""], ActiveRecord::Base.active_authorizers[:default].to_a
+ end
+ test "sets all Active Record models to blacklist all attributes by default when whitelist is disabled" do
add_to_config <<-RUBY
- config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = false
require "#{app_path}/config/environment"
- assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
+ assert_equal ActiveModel::MassAssignmentSecurity::BlackList,
- assert_equal [""], ActiveRecord::Base.active_authorizers[:default].to_a
test "registers interceptors with ActionMailer" do
1  railties/test/application/loading_test.rb
@@ -19,6 +19,7 @@ def app
test "constants in app are autoloaded" do
app_file "app/models/post.rb", <<-MODEL
class Post < ActiveRecord::Base
+ attr_accessible :title
validates_acceptance_of :title, :accept => "omg"
10 railties/test/generators/app_generator_test.rb
@@ -202,7 +202,10 @@ def test_config_jdbc_database_when_no_option_given
def test_generator_if_skip_active_record_is_given
run_generator [destination_root, "--skip-active-record"]
assert_no_file "config/database.yml"
- assert_file "config/application.rb", /#\s+require\s+["']active_record\/railtie["']/
+ assert_file "config/application.rb" do |content|
+ assert_match(/#\s+require\s+["']active_record\/railtie["']/, content)
+ assert_no_match(/config.active_record.whitelist_attributes = true/, content)
+ end
assert_file "test/test_helper.rb" do |helper_content|
assert_no_match(/fixtures :all/, helper_content)
@@ -230,6 +233,11 @@ def test_generator_if_skip_sprockets_is_given
assert_file "test/performance/browsing_test.rb"
+ def test_inclusion_of_activerecord_whitelist_attributes
+ run_generator([destination_root])
+ assert_file "config/application.rb", /config.active_record.whitelist_attributes = true/
+ end
def test_inclusion_of_therubyrhino_under_jruby
if defined?(JRUBY_VERSION)
1  railties/test/isolation/abstract_unit.rb
@@ -261,6 +261,7 @@ def use_frameworks(arr)
:activeresource] - arr
remove_from_config "config.active_record.identity_map = true" if to_remove.include? :activerecord
+ remove_from_config "config.active_record.whitelist_attributes = true" if to_remove.include? :activerecord
$:.reject! {|path| path =~ %r'/(#{to_remove.join('|')})/' }
Something went wrong with that request. Please try again.