Module: ActiveModel::MassAssignmentSecurity

Extended by:

ActiveSupport::Concern

Includes:

ForbiddenAttributesProtection

Included in:

ActiveRecord::MassAssignmentSecurity::AttributeAssignment

Defined in:

lib/active_model/mass_assignment_security.rb,
lib/active_model/mass_assignment_security/sanitizer.rb,
lib/active_model/mass_assignment_security/permission_set.rb

Overview

Active Model Mass-Assignment Security

Mass assignment security provides an interface for protecting attributes from end-user assignment. For more complex permissions, mass assignment security may be handled outside the model by extending a non-ActiveRecord class, such as a controller, with this behavior.

For example, a logged in user may need to assign additional attributes depending on their role:

class AccountsController < ApplicationController
  include ActiveModel::MassAssignmentSecurity

  attr_accessible :first_name, :last_name
  attr_accessible :first_name, :last_name, :plan_id, as: :admin

  def update
    ...
    @account.update_attributes(account_params)
    ...
  end

  protected

  def account_params
    role = admin ? :admin : :default
    sanitize_for_mass_assignment(params[:account], role)
  end

end

Configuration options

• mass_assignment_sanitizer - Defines sanitize method. Possible values are:

  • :logger (default) - writes filtered attributes to logger

  • :strict - raise ActiveModel::MassAssignmentSecurity::Error on any protected attribute update.

You can specify your own sanitizer object eg. MySanitizer.new. See ActiveModel::MassAssignmentSecurity::LoggerSanitizer for example implementation.

Defined Under Namespace

Modules: ClassMethods Classes: BlackList, Error, LoggerSanitizer, PermissionSet, Sanitizer, StrictSanitizer, WhiteList