Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Secures ActiveRecord mass assignment by default

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 spec
Octocat-spinner-32 .gitignore
Octocat-spinner-32 .rspec
Octocat-spinner-32 Gemfile
Octocat-spinner-32 Rakefile
Octocat-spinner-32 mass_assignment_guard.gemspec
Octocat-spinner-32 readme.md
readme.md

Mass assignment guard

Disables mass assignment by default, forcing developers to remember to declare attributes which can be mass assigned.

Installation

Add this to your Gemfile:

gem 'mass_assignment_guard'

Then bundle install.

Usage

Mass assignment is now disabled by default.

Enable attributes with attr_accessible, for example:

class User < ActiveRecord
  attr_accessible :email, :password

Or allow mass assignment for all attributes like this:

class TrustedObject < ActiveRecord
  attr_accessible :all

You can also enable mass assigning all attributes in a controller like this:

class Admin::UsersController < ApplicationController
  def update
    @user.accessible = :all
    @user.update_attributes!(params[:user])
    redirect_to([:admin, @user], :notice => "Updated!")
  end

... or:

class Admin::UsersController < ApplicationController
  def create
    begin
      User.accessible = :all
      @user = User.new(params[:user])
      @user.save!
      redirect_to([:admin, @user], :notice => "Created!")
    ensure
      User.accessible = nil
    end
  end

Testing

To run the tests:

$ rspec
Something went wrong with that request. Please try again.