sudo_attributes
Adds 'sudo' methods to active record classes, allowing you to easily override protected attributes.
Requirements
Rails: Any version of Rails 2.3.x or Rails 3.x. (Older versions of Rails may work, but have not been tested)
Installation
The gem is hosted at rubygems.org and can be installed with: gem install sudo_attributes
The Problem
ActiveModel provides a convenient way to make your application more secure by using "protected" attributes. Protected attributes are assigned using either attr_protected
or attr_accessible
. This adds security by preventing mass assignment of attributes when doing things like user.update_attributes(params[:user])
. The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:
user = User.find(params[:id])
user.update_attributes(params[:user])
user.admin = true
user.something_else = true
user.save
or the alternative in Rails 3.1:
user.assign_attributes(params[:user], :without_protection => true)
user.save
The Solution
SudoAttributes adds a few 'sudo' methods to your models, allowing you to override the protected attributes when you know the input can be trusted.
class User < ActiveRecord::Base
attr_protected :admin
end
user = User.find(params[:id])
user.sudo_update_attributes(params[:user])
Class Methods
Model.sudo_create
- Uses same syntax as Model.create
to instantiate and save an object with protected attributes
Model.sudo_create!
- Similar to Model.sudo_create
, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes
Model.sudo_new
- Uses same syntax as Model.new
to instantiate, but not save an object with protected attributes
Instance Methods
sudo_update_attributes
- Uses identical syntax to update_attributes
, but overrides protected attributes.
sudo_update_attributes!
- Same as sudo_update_attributes, but raises ActiveRecord errors. Same as update_attributes!
Examples
Protect an admin boolean attribute
class User < ActiveRecord::Base
attr_protected :admin
end
In your admin controller...
params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)
@user = User.sudo_create(params[:user])
Somewhere else in your admin controller...
params[:user] = {:admin => false, :name => "Pete"}
@user.sudo_update_attributes(params[:user])
Copyright
Copyright (c) 2011 Peter Brown. See LICENSE for details.