module ActiveModel::MassAssignmentSecurity::ClassMethods

def accessible_attributes

def accessible_attributes
  self._accessible_attributes ||= WhiteList.new.tap { |w| w.logger = self.logger if self.respond_to?(:logger) }
end

def active_authorizer

def active_authorizer
  self._active_authorizer ||= protected_attributes
end

def attr_accessible(*names)

to sanitize attributes won't provide sufficient protection.
Note that using Hash#except or Hash#slice in place of +attr_accessible+

customer.credit_rating # => "Average"
customer.credit_rating = "Average"

customer.credit_rating # => nil
customer.name # => "David"
customer.attributes = { :name => "David", :credit_rating => "Excellent" }
customer = Customer.new

end
end
end
send("#{k}=", v)
sanitize_for_mass_assignment(values).each do |k, v|
def attributes=(values)

attr_accessible :name
attr_accessor :name, :credit_rating

include ActiveModel::MassAssignmentSecurity
class Customer

+attr_protected+.
default and restrict attributes as needed, have a look at
tampering with URLs or forms. If you'd rather start from an all-open
sensitive attributes from being overwritten by malicious users
attributes you can use direct writer methods. This is meant to protect
will only set attributes in this list, to assign to the rest of
This is the opposite of the +attr_protected+ macro: Mass-assignment

mass-assignment.
Specifies a white list of model attributes that can be set via

def attr_accessible(*names)
  self._accessible_attributes = self.accessible_attributes + names
  self._active_authorizer = self._accessible_attributes
end

def attr_protected(*names)

to sanitize attributes won't provide sufficient protection.
Note that using Hash#except or Hash#slice in place of +attr_protected+

have a look at +attr_accessible+.
To start from an all-closed default and enable attributes as needed,

customer.credit_rating # => "Average"
customer.credit_rating = "Average"

customer.credit_rating # => nil
customer.name # => "David"
customer.attributes = { "name" => "David", "credit_rating" => "Excellent" }
customer = Customer.new

end
end
end
send("#{k}=", v)
sanitize_for_mass_assignment(values).each do |k, v|
def attributes=(values)

attr_protected :credit_rating
attr_accessor :name, :credit_rating

include ActiveModel::MassAssignmentSecurity
class Customer

== Example

tampering with URLs or forms.
sensitive attributes from being overwritten by malicious users
to them you can use direct writer methods. This is meant to protect
Mass-assignment to these attributes will simply be ignored, to assign

whenever attributes are sanitized before assignment.
Attributes named in this macro are protected from mass-assignment

def attr_protected(*names)
  self._protected_attributes = self.protected_attributes + names
  self._active_authorizer = self._protected_attributes
end

def attributes_protected_by_default

def attributes_protected_by_default
  []
end

def protected_attributes

def protected_attributes
  self._protected_attributes ||= BlackList.new(attributes_protected_by_default).tap do |w|
    w.logger = self.logger if self.respond_to?(:logger)
  end
end

Instance Methods

Defined in

lib/active_model/mass_assignment_security.rb

Modules

Classes