Stack Overflow
Stack Overflow

Questions tagged [mass-assignment]

A feature of server-side web framework such as Ruby on Rails, in which all the parameters of an HTTP request are assigned to variables. Mass assignment security provides an interface for protecting attributes from end-user assignment.

Mass assignment is both a convenient feature and a major security concern for server-side code in web applications. If not secured properly, it can allow an attacker to set parameters that should not be controlled from the client.

External links

321 questions
5
votes
2 answers

Laravel Mass Assignment for Admins

I have an app with a Users table with columns: id|name|email|is_admin. I want admins to be able to set other users as admins. In models/User.php I prevent mass-assignment with: protected $fillable = ['name', 'email']; Laravel 4 Role Based Mass…
Justin
  • 26,443
  • 16
  • 111
  • 128
5
votes
2 answers

rails: mass-assignment security concern with belongs_to relationships

I've been reading up on rails security concerns and the one that makes me the most concerned is mass assignment. My application is making use of attr_accessible, however I'm not sure if I quite know what the best way to handle the exposed…
dpb
  • 1,205
  • 2
  • 9
  • 20
4
votes
2 answers

RSpec gives ActiveModel::MassAssignmentSecurity::Error

I'm following Railstutorial.org and gets MassAssignment Error when using Rspec. 10) User when email format is invalid should be invalid Failure/Error: @user = User.new(name:"Example", email:"example@gmail.com", …
YogiZoli
  • 870
  • 1
  • 9
  • 17
4
votes
1 answer

Rails 3.1 attr_accessible verification receives an array of roles

I would like to use rails new dynamic attr_accessible feature. However each of my user has many roles (i am using declarative authorization). So i have the following in my model: class Student < ActiveRecord::Base attr_accessible :first_name, :as=>…
jalagrange
  • 2,291
  • 2
  • 19
  • 24
4
votes
1 answer

How to seed a Rails 3.1 app with scoped mass assignment

How does Rails 3.1 (RC4) and scoped mass assignment expect us to work with seeds.rb when loading a list of data. For example. I normally have something like: City.create([ { :name => 'Chicago' }, { :name => 'Copenhagen' }, ... ]) Which…
Christian Fazzini
  • 19,613
  • 21
  • 110
  • 215
4
votes
1 answer

Laravel mass insert for raw query

I have raw query: INSERT INTO employee (fk_country_id, employee_id, fk_city_id, password, role, email, joined_at, resigned_at, created_at, updated_at) VALUES (?, ?, (SELECT id FROM city WHERE city.id = ?), ?, ?, ?, ?, ?, ?, ?) ON DUPLICATE KEY…
Srneczek
  • 2,143
  • 1
  • 22
  • 26
4
votes
1 answer

Laravel do I have to worry about mass assignment when setting field by field

I am a bit confused when it comes to laravels mass assignment. I know that I can protect fields using: protected $fillable = [ 'username', 'email', 'password' ]; and be protected here: $flight =…
Kiow
  • 870
  • 4
  • 18
  • 32
4
votes
1 answer

Laravel 5.2 Model $fillable gets ignored?

I have a simple Model IsolatedQuery which consists of a name and query field. I have defined those two fields in the $fillable property of the model. The IsolatedQueryController@store looks like this: public function store(IsolatedQueryRequest…
Ben Fransen
  • 10,884
  • 18
  • 76
  • 129
4
votes
2 answers

updateOrCreate - Mass Assignment Exception in Laravel

I'm working on a CRUD part of my system. Users' can update Keywords. What I'd like to do is similar to an INSERT IGNORE MySQL statement. I am in an foreach loop and trying to update the keywords, However I get an Mass Assignment…
StuBlackett
  • 3,789
  • 15
  • 68
  • 113
3
votes
1 answer

Rails 3 config setting for attr_accessible/protected

I just spent quite some time trying to resolve a virtual attribute issue in my model. It turned out I'd simply forgotten to add it to attr_accesible in my model. Granted I should have caught it earlier or better should have started the whole…
Yuri
  • 1,261
  • 1
  • 11
  • 23
3
votes
4 answers

Rails - attr_accessible & mass assignment

I have a question about using attr_accessible in Rails. I sometimes want to set guard_protected_attributes to false in order to bypass mass assignment protection. I'm wondering why the following line doesn't work (it creates the "can't stringify…
user65663
3
votes
1 answer

Getting Can't mass-assign protected attributes: address

I am getting the following in the log when I try to assign a nested attribute. I have scanned and tried all the answers that I can find, but nothing works. Started POST "/admin/care_homes" for 127.0.0.1 at 2012-02-11 23:27:24 +0100 …
Geoff
  • 966
  • 7
  • 4
3
votes
1 answer

Rails associations can't mass-assign foreign key

Maybe I am doing it wrong but here is my issue: @restaurant = current_user.restaurants.build(params[:restaurant]) This builds a new restaurant object where the user_id is set to the current_user.id. This only works if you set attr_accessible…
patrickdet
  • 91
  • 2
  • 10
3
votes
2 answers

Changes to mass_assignment_authorizer cause errors in Ruby on Rails 3.1

Protecting against mass assignment as in this railscast no longer works in Rails 3.1. Error given is: wrong number of arguments (1 for 0) for app/models/user.rb:20:in `mass_assignment_authorizer'
dangerousdave
  • 6,331
  • 8
  • 45
  • 62
3
votes
2 answers

Laravel - Mass assignment || How can I do for updating data if found same unique key, and creating if the data are new

I've created a table named: staff in the database. Inside that table, there are: id, staffID, staffName, role, and password which the id field is autoincrement(its mean primary Key), and the staffID is Unique Key. After that, I inserted a few data.…
Habie Smart
  • 139
  • 1
  • 9
1 2
3
21 22