17

Just want to be clear on what mass assignment is and how to code around it. Is mass assignment the assignment of many fields using a hash, ie like..

@user = User.new(params[:user])

And to prevent this you use attr_accessible like:

attr_accessible :name, :email

So that a field like :admin could not be added by mass assignment?

But we can modify it in code by something like:

@user.admin = true

So is it true that if we don't have attr_accessible then everything is accessible for mass assignment?

And finally the tricky point ... is it true that even with one attr_accessible like "attr_accessible :name" means that all other fields are now not accessible for mass assignment?

rtfminc
  • 6,243
  • 7
  • 36
  • 45

3 Answers3

12

All of your assumptions are correct. Without attr_accessible, all fields are open to mass assignment. If you start using attr_accessible, only the fields you specify are open to mass assignment.

Srdjan Pejic
  • 8,152
  • 2
  • 28
  • 24
6

As pointed out by Srdjan all of your assumptions are correct. Just so you know, there is also an attr_protected method which is the opposite of attr_accessible.

In other words

attr_protected :admin

will prevent :admin from being mass-assigned but will allow all other fields.

tilleryj
  • 14,259
  • 3
  • 23
  • 22
3

Srdjan's answer is correct assuming that config.active_record.whitelist_attributes is set to false in your config/application.rb.

If it is set to true, all attributes will be protected from mass assignment by default unless attr_accessible or attr_protected is used.

kvu787
  • 943
  • 2
  • 10
  • 13