instance method
attr_protected
Ruby on Rails 3.0.20
Since v3.0.20 Last seen in v3.2.22.5Signature
attr_protected(*names)
Attributes named in this macro are protected from mass-assignment whenever attributes are sanitized before assignment.
Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.
Example
class Customer
include ActiveModel::MassAssignmentSecurity
attr_accessor :name, :credit_rating
attr_protected :credit_rating
def attributes=(values)
sanitize_for_mass_assignment(values).each do |k, v|
send("#{k}=", v)
end
end
end
customer = Customer.new
customer.attributes = { "name" => "David", "credit_rating" => "Excellent" }
customer.name # => "David"
customer.credit_rating # => nil
customer.credit_rating = "Average"
customer.credit_rating # => "Average"
To start from an all-closed default and enable attributes as needed, have a look at attr_accessible.
Note that using Hash#except or Hash#slice in place of attr_protected to sanitize attributes won’t provide sufficient protection.
Parameters
-
namesrest
Source
# File activemodel/lib/active_model/mass_assignment_security.rb, line 87
def attr_protected(*names)
self._protected_attributes = self.protected_attributes + names
self._active_authorizer = self._protected_attributes
end
Defined in activemodel/lib/active_model/mass_assignment_security.rb line 87
· View on GitHub
· Improve this page
· Find usages on GitHub
Defined in ActiveModel::MassAssignmentSecurity::ClassMethods