Stack Overflow
Stack Overflow

Questions tagged [mass-assignment]

A feature of server-side web framework such as Ruby on Rails, in which all the parameters of an HTTP request are assigned to variables. Mass assignment security provides an interface for protecting attributes from end-user assignment.

Mass assignment is both a convenient feature and a major security concern for server-side code in web applications. If not secured properly, it can allow an attacker to set parameters that should not be controlled from the client.

External links

321 questions
221
votes
5 answers

What does "Mass Assignment" mean in Laravel?

When I went through Laravel Document about Eloquent ORM topic part, I got a new term "Mass Assignment". Document show How to do Mass Assignment and the $fillable or $guarded properties settings. But after went through that, I didn't have a clearly…
Chen-Tsu Lin
  • 22,876
  • 16
  • 53
  • 63
51
votes
4 answers

Is there an opposite function of slice function in Ruby?

In this post, slice function is used to get only necessary elements of params. What would be the function I should use to exclude an element of params (such as user_id)? Article.new(params[:article].slice(:title, :body)) Thank you.
AdamNYC
  • 19,887
  • 29
  • 98
  • 154
29
votes
4 answers

Can't mass-assign protected attributes

Updating the code formatting for better viewing. Folks, I have been looking at this for sometime but I don't understand what could be messing up here. I am using Devise. class User < ActiveRecord::Base has_many :addresses …
Sanjay
  • 388
  • 1
  • 3
  • 10
25
votes
7 answers

Laravel 5 : MassAssignmentException in Model.php

I am getting this error: MassAssignmentException in Model.php line 448: _token When I am using create method. Please review code below: Contacts.php (Model): class Contacts extends Model { protected $table = ['name', 'mobile', 'email',…
Sandeep
  • 973
  • 2
  • 13
  • 22
24
votes
3 answers

Is there a way to bypass mass assignment protection?

I have a Rails 3 app which JSON encodes objects in order to store them in a Redis key/value store. When I retrieve the objects, I'm trying to decode the JSON and instantiate them from the data like so: def decode(json) …
David Tuite
  • 22,258
  • 25
  • 106
  • 176
24
votes
1 answer

What is mass-assignment in Rails 3

I have heard couple of people complaining and posting questions about mass-assignment in Rails. I have got same error couple of times and all I did was attr_accessible. But what exactly is mass assignment? could somebody explain with example?
Bhushan Lodha
  • 6,824
  • 7
  • 62
  • 100
19
votes
7 answers

Assign multiple variables at once with dynamic variable names

I'm aware I can assign multiple variables to multiple values at once with: (foo, bar, baz) = 1, 2, 3 And have foo = 1, bar = 2, and so on. But how could I make the names of the variables more dynamic? Ie, somefunction(data,tupleofnames): …
mikemaccana
  • 110,530
  • 99
  • 389
  • 494
17
votes
3 answers

Rails mass assignment definition and attr_accessible use

Just want to be clear on what mass assignment is and how to code around it. Is mass assignment the assignment of many fields using a hash, ie like.. @user = User.new(params[:user]) And to prevent this you use attr_accessible like: attr_accessible…
rtfminc
  • 6,243
  • 7
  • 36
  • 45
15
votes
5 answers

Why slicing the params hash poses a security issue on mass-assignment?

The official way of preventing security risks with mass-assignment is using attr_accessible. However, some programmers feel this is not a job for the model (or at least not only for the model). The simplest way of doing it in a controller is slicing…
tokland
  • 66,169
  • 13
  • 144
  • 170
15
votes
1 answer

nested form triggering a 'Can't mass-assign protected attributes warning

I've got a multi layer nested form User->Tasks->Prerequisites and in the same form User->Tasks->Location The location form works fine, now I'm trying to specify prerequisites to the current task. The prerequisite is a task_id stored in the…
pedalpete
  • 21,076
  • 45
  • 128
  • 239
15
votes
4 answers

VB function with multiple output - assignment of results

I know there's no straightforward way for multiple assignment of function in VB, but there's my solution - is it good, how would you do it better? What I need (how would I do it in python, just an example) def foo(a) ' function with multiple…
Intelligent-Infrastructure
  • 1,188
  • 4
  • 18
  • 39
13
votes
1 answer

adding nested attributes with checkboxes in rails 4 using mass assignment

error: param is missing or the value is empty: color I am making a form where I can add nested attributes to a parent record and I want to add them through checkboxes. I have the parent model "Car" and the child model "Colors"…but I want to start…
NothingToSeeHere
  • 2,253
  • 5
  • 25
  • 57
11
votes
3 answers

Using Rails 3.1 :as => :admin for updating attributes protected by attr_accessible

After reading about attr_accessible in the Rails 3.1 API, I see that there is an as :admin option in there. I would like to know two things. If the user has an admin flag, how do does my controller tell my model that the user is an admin. If the…
Jason Waldrip
  • 5,038
  • 8
  • 36
  • 59
9
votes
4 answers

Laravel 5.2 multiple model save()

I need to store exactly three pages at once via form. I would like save in similar manner as model save() method, because this will automatically update record timestamps. How to do this for multiple records at once? My page Model: namespace…
Fusion
  • 5,046
  • 5
  • 42
  • 51
8
votes
2 answers

Rails 3.2, Mass Assignment, Dynamic Roles?

I have a Rails app with a user model that contains an admin attribute. It's locked down using attr_accessible. My model looks like this: attr_accessible :name, :email, :other_email, :plant_id, :password, :password_confirmation attr_accessible :name,…
jeffmueller
  • 145
  • 10
1
2 3
21 22