1

The use of attr_accessible isn't quite sufficient as it is either on or off.

Some models have user forms, and also admin forms. For the admins the attributes they need to be able to mass-assign need to be in attr_accessible, but that means that a normal user could inject those params maliciously. It seems like a lot of work to manually assign everything on the admin side, and attr_accessible to those attributes that normal users can alter.

Is there a rails-centric standard solution to this issue? Maybe a gem?

I envision something like this:

model.update_attributes_with_user(params[:model], user)
pixelearth
  • 13,674
  • 10
  • 62
  • 110
  • http://stackoverflow.com/questions/11453237/in-rails-how-can-i-protect-an-attribute-from-mass-assignment-while-still-allowi/11453346#11453346 – deefour Jul 13 '12 at 17:07

2 Answers2

1

You want the :as option for attr_accessible.

See this Rails doc for more information and examples.

As a quick example though (from the link):

 attr_accessible :name, :credit_rating, :as => :admin
 customer.assign_attributes({ "name" => "David", ... }, :as => :admin)
MrDanA
  • 11,489
  • 2
  • 36
  • 47
  • This looks only available in 3.2, also why should I have to define assign_attributes in every model? This looks hacked together. Looks like they added the ability to use :as with attr_accessible, but not clean way to actually use it app-wide. – pixelearth Jul 15 '12 at 04:50
1

I recommend you read this official blog post on setting mass-assignable attributes in the controller: http://weblog.rubyonrails.org/2012/3/21/strong-parameters/

It also links to the gem that helps implementing the so-called slice-pattern (or an extraction thereof): https://github.com/rails/strong_parameters

This solution lets you specify the editable attributes in your users controller and admin_users controller differently.

emrass
  • 6,253
  • 3
  • 35
  • 57