sudo_attributes
Adds ‘sudo’ methods to active record classes, allowing you to easily override protected attributes.
The Problem
ActiveRecord (ActiveModel in Rails 3) provides a convenient way to make your application more secure by using “protected” attributes. Protected attributes are assigned using either attr_protected
or attr_accessible
. This adds security by preventing mass assignment of attributes when doing things like user.update_attributes(params[:user])
. The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:
user = User.find(params[:id])
user.update_attributes(params[:user])
user.admin = true
user.something_else = true
user.save
The Solution
SudoAttributes adds a few ‘sudo’ methods to your models, allowing you to override the protected attributes when you know the input can be trusted.
It’s as easy as adding one method call to your models like so:
class User < ActiveRecord::Base
sudo_attr_protected :admin
end
user = User.find(params[:id])
user.sudo_update_attributes(params[:user])
Class Methods
The class methods sudo_attr_protected and sudo_attr_accessible will be available to all ActiveRecord models. When called, it adds numerous ‘sudo’ methods to the class. You may still use the default methods attr_protected
or attr_accessible
provided by rails, but you must still call has_sudo_attributes
in order to gain access to the sudo methods.
Here are four different ways it can be used:
sudo_attr_protected :attribute1, :attribute2
– Defines protected attributes
sudo_attr_accessible :attribute1, :attribute2
– Defines accessible attributes
sudo_attr_protected
or sudo_attr_accessible
– With no arguments, it will rely on calls to attr_protected
or attr_accessible
Any model that calls sudo_attr_*
will also be able to create new instances that override protected attributes using the following methods:
Model.sudo_create
– Uses same syntax as Model.create
to instantiate and save an object with protected attributes
Model.sudo_create!
– Similar to Model.sudo_create
, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes
Model.sudo_new
– Uses same syntax as Model.new
to instantiate, but not save an object with protected attributes
Instance Methods
The following instance method is available to any ActiveRecord model that calls has_sudo_attributes
sudo_update_attributes
– Uses identical syntax toupdate_attributes
, but overrides protected attributes.sudo_update_attributes!
– Same as sudo_update_attributes, but raises ActiveRecord errors. Same asupdate_attributes!
Examples
Protect an admin boolean attribute
class User < ActiveRecord::Base
sudo_attr_protected :admin
end
In your admin controller…
params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)
@user = User.sudo_create(params[:user])
Somewhere else in your admin controller...
params[:user] = {:admin => false, :name => "Pete"}
@user.sudo_update_attributes(params[:user])
Copyright
Copyright © 2010 Peter Brown. See LICENSE for details.