5

I just had a general question about Ruby on Rails and the attr_accessible attributes that go in the models (Rails 3). Can someone explain which model attributes are supposed to be defined there? I remember something about risk for mass assignment, though I'm not too knowledgeable in this aspect... Thanks :)

current_user
  • 1,172
  • 1
  • 16
  • 28
trflach
  • 98
  • 1
  • 8

4 Answers4

5

Imagine an order class with some fields:

Order.new({ :type => 'Corn', :quantity => 6 })

Now imagine that the order also has a discount code, say :price_off. You wouldn't want to tag :price_off as attr_accessible. This stops malicious code from being able to craft a post that ends up doing something like so:

Order.new({ :type => 'Corn', :quantity => 6, :price_off => 30 })

Even if your form doesn't have a field for :price_off, if it's just in your model by default it's available. A crafted POST could still set it.

Using attr_accessible white lists those things are can be mass assigned and protects fields that you want explicit control of in your code.

Difference between attr_accessor and attr_accessible has some additional links.

Community
  • 1
  • 1
Paul Rubel
  • 26,632
  • 7
  • 60
  • 80
  • Is it okay to put password and password_confirmation into attr_accessible? BC when I take them out, It will not allow me to send the password through a sign up page. I thought that you would not want to have passwords just openly accessible like that? – trflach Aug 24 '11 at 19:01
  • It seems to me that a password and a confirmation is something you'd want a user to be able to send, but to the sign-up object not the final user class that results from a sign-up. – Paul Rubel Aug 24 '11 at 19:21
4

attr_accessible allows you to define a whitelist of attributes on the model that can be mass assigned. So if you have 10 attrs but only whitelist 3 of them, only those three can be mass assigned.

class Foo < ActiveRecord:Base
  #lets say you have attrs one, two, three
  attr_accessible :one, :two
end

#You can do this:
Foo.new({:one => 1, :two => 2})

#if you were to do this:
Foo.new({:one => 1, :two => 2, :three => 3})
#Foo's three attr would not be set
Jake Dempsey
  • 6,264
  • 1
  • 30
  • 25
  • Mhm, will the attributes in attr_accessible be blocked when running my seeds file (my seed file creates an admin user with a higher rank, though obviously the rank will not be available as an open option)? – trflach Aug 24 '11 at 18:47
  • Just set it manually in the seeds and not in the init with hash. So: u = User.new(some_hash); u.rank = 1.bajillion; u.save – Jake Dempsey Aug 24 '11 at 20:19
1

The Rails ActiveRecord documentation has some good detail on the topic.

Basically attr_accessible:

Specifies a white list of model attributes that can be set via mass-assignment.

And attr_protected:

Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.

Think of attr_accessible as a list of the attributes you want a user to be able to set through a form, anything not on this list wont be able to be set through the mass assignment which ensures that you keep the sensitive values in your database protected from a malicious user. This is a small step to keeping your application secure and you should take a look at the Rails Security Guide if you want to follow Rails best practices.

Andrew Grimm
  • 78,473
  • 57
  • 200
  • 338
Devin M
  • 9,636
  • 2
  • 33
  • 46
0

attr_accessible is the rails feature with the help of which we can permit mass-assignment for model attributes. It is just opposite to attr_protected in functionality.

To make a particular attribute available for mass-assignment we use attr_accessible as follows :

class Person < ActiveRecord::Base
attr_accessible : name
end



For more detailed explanation about attr_accessible and Strong parameters you can visit the link given below:

[http://findnerd.com/list/view/attr-accessible-in-Rails-4/3654/][1]

Taran
  • 1