Build Status

Adds 'sudo' methods to active record classes, allowing you to easily override protected attributes.


Rails: Any version of Rails 2.3.x or Rails 3.x. (Older versions of Rails may work, but have not been tested)


The gem is hosted at and can be installed with: gem install sudo_attributes

The Problem

ActiveModel provides a convenient way to make your application more secure by using "protected" attributes. Protected attributes are assigned using either attr_protected or attr_accessible. This adds security by preventing mass assignment of attributes when doing things like user.update_attributes(params[:user]). The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:

user = User.find(params[:id])
user.admin = true
user.something_else = true

or the alternative in Rails 3.1:

user.assign_attributes(params[:user], :without_protection => true)

The Solution

SudoAttributes adds a few 'sudo' methods to your models, allowing you to override the protected attributes when you know the input can be trusted.

class User < ActiveRecord::Base
  attr_protected :admin

user = User.find(params[:id])

Class Methods

Model.sudo_create - Uses same syntax as Model.create to instantiate and save an object with protected attributes

Model.sudo_create! - Similar to Model.sudo_create, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes

Model.sudo_new - Uses same syntax as to instantiate, but not save an object with protected attributes

Instance Methods

sudo_update_attributes - Uses identical syntax to update_attributes, but overrides protected attributes.

sudo_update_attributes! - Same as sudo_update_attributes, but raises ActiveRecord errors. Same as update_attributes!


Protect an admin boolean attribute

class User < ActiveRecord::Base
  attr_protected :admin

In your admin controller...

params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)

@user = User.sudo_create(params[:user])

Somewhere else in your admin controller...

params[:user] = {:admin => false, :name => "Pete"}



Copyright (c) 2011 Peter Brown. See LICENSE for details.