cpjolicoeur/readme.md

Created March 6, 2012 14:20

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/cpjolicoeur/1986526.js"></script>
Save cpjolicoeur/1986526 to your computer and use it in GitHub Desktop.

Download ZIP

Rails Mass Assignment Solutions

Raw

readme.md

Initializer

# config/initializers/mass_assignment.rb
ActiveRecord::Base.send(:attr_accessible, nil)

Whitelist Config

From rails core commit 641a4f6240

# config/application.rb
config.active_record.whitelist_attributes = true

Params slice

class FooController << ActionController::Base
  def create
    @foo = Foo.new(post_params)
    ...
  end

  def update
    @foo.update_attributes(post_params)
    ...
  end

  def post_params
    @params[:foo].slice(:params, :i_care_about)
  end
  private :post_params
end

bsimpson commented Mar 6, 2012

You may want to look at the new(ish) ActiveModel::MassAssignmentSecurity module. It looks like you can filter the attributes in either the controller, or the model via attr_accessible with an ":as" option. This allows for different lists of accessible attributes based on a role. An admin would be able to update more attributes than a normal user, etc. The params can be filtered using sanitize_for_mass_assignment which looks like it may duplicate what you are doing in the post_params method in your controller.

http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity/ClassMethods.html

Author

cpjolicoeur commented Mar 6, 2012 via email

I believe that ActiveModel code is only for use inside model object. Iguess you could always mix it into a controller but it wouldnt work as expected fully because of its close ties to things like the whitelist and attr_protected|accessible the :as => :role stuff can to used on both attr_protected and attr_accessible

…

--- Craig P Jolicoeur [email protected]

On Tuesday, March 6, 2012 at 9:54 AM, Ben Simpson wrote: You may want to look at the new(ish) ActiveModel::MassAssignmentSecurity module. It looks like you can filter the attributes in either the controller, or the model via attr_accessible with an ":as" option. This allows for different lists of accessible attributes based on a role. An admin would be able to update more attributes than a normal user, etc. The params can be filtered using sanitize_for_mass_assignment which looks like it may duplicate what you are doing in the post_params method in your controller. --- Reply to this email directly or view it on GitHub: https://gist.github.com/1986526