Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Trust your params attributes

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 example
Octocat-spinner-32 lib
Octocat-spinner-32 spec
Octocat-spinner-32 .gitignore
Octocat-spinner-32 Gemfile
Octocat-spinner-32 Guardfile
Octocat-spinner-32 LICENSE
Octocat-spinner-32 README.md
Octocat-spinner-32 Rakefile
Octocat-spinner-32 trusted_keys.gemspec
README.md

TrustedKeys

This gem makes it possible to handlle mass assignment in the controller.
It adds two methods:

  • #trusted_attributes - returns the trusted attributes.
  • .trust - defines the trusted attributes.

Why

  • It handles complex hashes. E.g. handles hashes that complies to accepts_nested_attributes_for, even when nested on several levels, see spec for more info.

Usage

Include it in your application controller:

class ApplicationController < ActionController::Base
  include TrustedKeys
end

Define which attributes to trust in the controller:

class EventsController < ApplicationController
  trust :title, :location, :start, :stop, :description, :attendees, :repeat,
        :min_number_of_attendees, :deadline, for: :event
end

The above commands reads like this: trust the following attributes: 'title', ..., 'deadline', returned by the params[:event] hash.

Inside your action:

def create
  @event = Event.create(trusted_attributes)                             
  respond_with(@event)                  
end

And it will only return the trusted attributes.

A nested attributes example:

params = { "event" => 
           { "title" => "A title",
             "location" => "I am not trusted"
             "attendees_attributes" => {
                "0" => {  "_destroy"=>"false",
                          "id" => "2",
                          "dangerous" => "I am evil",
                          "start"=>"2012" },
                "new_1331711737056" => {  "_destroy"=>"false",
                                          "start"=>"2012" } }
           }
         }

class EventsController < ApplicationController
  trust :title, :attendees_attributes, for: :event
  trust :start, for: "event.attendees_attributes"

  def create
    @event = Event.create(trusted_attributes)                             
    respond_with(@event)   
  end
end

# trusted_attributes => 
  { "title" => "A title",
    "attendees_attributes" => {
      "0" => {  "_destroy"=>"false",
                "id" => "2",
                "start"=>"2012" },
      "new_1331711737056" => {  "_destroy"=>"false",
                                "start"=>"2012" } 
    }
  }

When the hash conforms to the accepts_nested_attributes_for structure, the keys: '_destroy' and 'id' is also trusted on that hash level as the above example shows.

Environments

When an attributes isn't trusted in development or test mode an exception is raised with a message explaning what to do. When in other environments (e.g production) untrusted attributes are silently removed.

Installation

Add this line to your application's Gemfile:

gem 'trusted_keys'

And then execute:

$ bundle

Or install it yourself as:

$ gem install trusted_keys

Other mass assignment controller protection gems

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request
Something went wrong with that request. Please try again.