API Guides

instance method attr_protected

Ruby on Rails 3.0.20

Since v3.0.20 Last seen in v3.2.22.5

Available in: v3.0.20 v3.1.12 v3.2.22.5 

attr_protected(*names)

Attributes named in this macro are protected from mass-assignment whenever attributes are sanitized before assignment.

Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.

Example

class Customer
  include ActiveModel::MassAssignmentSecurity

  attr_accessor :name, :credit_rating
  attr_protected :credit_rating

  def attributes=(values)
    sanitize_for_mass_assignment(values).each do |k, v|
      send("#{k}=", v)
    end
  end
end

customer = Customer.new
customer.attributes = { "name" => "David", "credit_rating" => "Excellent" }
customer.name          # => "David"
customer.credit_rating # => nil

customer.credit_rating = "Average"
customer.credit_rating # => "Average"

To start from an all-closed default and enable attributes as needed, have a look at attr_accessible.

Note that using Hash#except or Hash#slice in place of attr_protected to sanitize attributes won’t provide sufficient protection.

Parameters

names rest
Source 
# File activemodel/lib/active_model/mass_assignment_security.rb, line 87
      def attr_protected(*names)
        self._protected_attributes = self.protected_attributes + names
        self._active_authorizer = self._protected_attributes
      end

Defined in activemodel/lib/active_model/mass_assignment_security.rb line 87 · View on GitHub · Improve this page · Find usages on GitHub

Defined in ActiveModel::MassAssignmentSecurity::ClassMethods

Type at least 2 characters to search.

↑↓ navigate · open · esc close