Skip to content
Rails plugin for overriding attr_accessible protection.
Ruby
Find file
Latest commit f915414 Jun 29, 2011 @ryanb Merge pull request #5 from elandesign/master
Added gemspec and moved tasks
Failed to load latest commit information.
lib Moved tasks into lib per deprecation warning Sep 23, 2010
rails Moved tasks into lib per deprecation warning Sep 23, 2010
spec inherit global trust for all nested hashes Jun 1, 2009
.gitignore Moved tasks into lib per deprecation warning Sep 23, 2010
LICENSE
README.rdoc adding links to beginning of readme Jun 1, 2009
Rakefile Moved tasks into lib per deprecation warning Sep 23, 2010
trusted_params.gemspec Moved tasks into lib per deprecation warning Sep 23, 2010

README.rdoc

Trusted Params

Rails plugin which adds a convenient way to override attr_accessible protection.

If you are unfamiliar with the dangers of mass assignment please check these links

Install

You can install this as a plugin into your Rails app.

script/plugin install git://github.com/ryanb/trusted-params.git

Features

This plugin does several things.

  • Adds “trust” method on hash to bypass attribute protection

  • Disables attr_protected because you should use attr_accessible.

  • Requires attr_accessible be specified in every model

  • Adds :all as option to attr_accessible to allow all attributes to be mass-assignable

  • Raises an exception when assigning a protected attribute (instead of just a log message)

Usage

When using this plugin, you must define attr_accessible in every model to allow mass assignment. You can use :all to mark all attributes as accessible.

class Comment < ActiveRecord::Base
  attr_accessible :all
end

However, only do this if you want all attributes accessible to the public. Many times you will want to limit what the general public can set.

class Comment < ActiveRecord::Base
  attr_accessible :author_name, :email, :content
end

Administrators should be able to bypass the protected attributes and set anything. This can be done with the “trust” method.

def create
  params[:comment].trust if admin?
  @comment = Comment.new(params[:comment])
  # ...
end

You can mark certain attributes as trusted for different roles

params[:comment].trust(:spam, :important) if moderator?

Then only those attributes will be allowed to bypass mass assignment.

Something went wrong with that request. Please try again.