MassAssignmentBackport

This is a simple mass-assignment security module loosely based on ActiveModel::MassAssignmentSecurity. It attempts to steal the good ideas and some of the API while being compatible with Rails 2.3-based applications.

Only attr_accessible is implemented, because attr_protected is just a bad ActiveRecord API that hung around for some reason, and we don't want it stinking up the place.

Rationale

There are two things I've never liked about ActiveRecord's attr_* API:

It's model-level when the resources I am trying to protect are controller-level. This actually gets in our way when we're just trying to test/manipulate our own models outside of a controller context, making it harder to work with our own data for no good reason. I feel this phenomenon could have the effect of discouraging developers from using it.

Another problem with ActiveRecord is that is provides attr_protected. Blacklisting instead of whitelisting is just a bad idea, and I see no reason to allow/support it when security is the primary goal.

This small package attempts to address both of those issues with a module that borrows/steals the excellent ActiveModel API for the same purpose.

Author

Zack Hobson (zack@zackhobson.com)