2

I constructed an object based on parameters and passed it into the update_attributes method, within my controller's update method. The object had one attribute (xyz) that was not listed as part of attr_accessible list in the model. Rails skipped updating the attribute in question and generated a warning that mass-assignment of attribute xyz failed.

I would like to make sure that update_attributes fails if this kind of situation occurs instead of just getting a warning. Is there a config setting or an option that can be passed in to the update_attributes call to make this happen?

Tabrez
  • 3,424
  • 3
  • 27
  • 33

2 Answers2

4

You can change the config to use a sanitizer that will raise an exception:

config.active_record.mass_assignment_sanitizer = :strict

Edit: This is available since 3.2. Your question is tagged with rails 3.1, so it won't work. You can upgrade to 3.2, or take a look at this SO question on how to patch the sanitizer.

Community
  • 1
  • 1
aromero
  • 25,681
  • 6
  • 57
  • 79
  • thanks a lot for the precise answer, and for providing options for both versions of rails! – Tabrez Aug 03 '12 at 22:19
  • If you are planning to upgrade to 3.2, I would recommend this railscast (which by the way mentions the change in the config): http://railscasts.com/episodes/318-upgrading-to-rails-3-2 – aromero Aug 03 '12 at 22:20
  • Thanks aromero. I will check it out. – Tabrez Aug 03 '12 at 22:54
2

Set your own mass_assignment_sanitizer using mass_assignment_sanitizer= and you probably want to look at active_model/mass_assignment_security/sanitizer.rb for examples and active_model/mass_assignment_security.rb for how to set up your own Sanitizer that will fail.

Ransom Briggs
  • 3,025
  • 3
  • 32
  • 46