Securails

By default, all ActiveRecord attributes are writable. This leads to security problems:

• http://asciicasts.com/episodes/26-hackers-love-mass-assignment
• http://lesseverything.com/blog/archives/2008/03/11/use-attr_protected-or-we-will-hack-you/
• https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

This gem makes all attributes protected by default. To use individual attributes for mass assignment, please make them explicitely assignable using attr_accessible. More info here.

Installation

1. Add the gem to your Gemfile.

   gem 'securails'
   

2. Update your gem bundle.

   $ bundle install
   

Usage

Your app is safe by just including the gem. Now you have make those attributes that are safe to be changed by users accessible.

class Company < ActiveRecord::Base

  # Allow access to the 'name' attribute.
  attr_accessible :name
end