Stack Overflow
Stack Overflow

Questions tagged [mass-assignment]

A feature of server-side web framework such as Ruby on Rails, in which all the parameters of an HTTP request are assigned to variables. Mass assignment security provides an interface for protecting attributes from end-user assignment.

Mass assignment is both a convenient feature and a major security concern for server-side code in web applications. If not secured properly, it can allow an attacker to set parameters that should not be controlled from the client.

External links

321 questions
2
votes
2 answers

(Laravel) Doubts concerning Mass Assignment protection

I'm developing a website with several contents, including a blog, and I've come up to some doubts concerning mass assignment protection. When I'm posting a comment on a blog article, I suppose the 'fillable' fields would be the comment's body, the…
Andrea de'Rose
  • 57
  • 1
  • 9
2
votes
3 answers

Strong params in rails

I removed mass assignment vulnerability of the below line : friend = Friend.find(params[:id]) friend.update_attributes(params[:name]) by rewriting it as : friend = Friend.find(params[:id]) friend.update_attributes(params.permit(:name)) But this…
Hellboy
  • 1,199
  • 2
  • 15
  • 33
2
votes
1 answer

Laravel Mass Assignment Issue seems to be inconsistent

I am working on implementing some Models in Laravel 4. When attempting to create a new Instance of a model, I receive a MassAssignmentException. From my research, I have learned that by default, all fields are considered guarded. In order to get…
Chris
  • 4,762
  • 3
  • 44
  • 79
2
votes
2 answers

Using controller to update attributes of another controller and mass-assignment problems in rails 4.1.1

I've just updated my rails app from 3.2.8 to 4.1.1. I did the required alterations to make the transition as smooth as possible. I used to use one controller to update the attributes of another controller like this: 1. def check_rates 2.…
MBJH
  • 1,571
  • 3
  • 17
  • 36
2
votes
3 answers

Rails 4, create multiple objects - how to permit it?

How to permit this parameters: contacts: [ {:value => 'value', :contacts_type => 'contact_type'}, {:value => 'value', :contacts_type => 'contact_type'}, ] To create many objects by controller action in one JSON request?
kuatro
  • 481
  • 1
  • 5
  • 17
2
votes
1 answer

Laravel mass assignment security policy

The fill method of Illuminate\Database\Eloquent\Model is used for mass assignment, and it is called by the model constructor, which in turn is called by the create method. Why doesn't it throw any exception if one or more "guarded" attributes are…
matpop
  • 1,969
  • 1
  • 19
  • 36
2
votes
1 answer

"Unpermitted parameters: name"and "Can't mass assign protected attributes for User: email" Do I need a User controller?

I am using Rails 4 and Devise 3. I have added a custom field of "name." When I submit a name, I receive the "unpermitted parameters: name" and "can't mass assign protected attributes for User: email" errors. I have been told to add code to a users…
Dylan Richards
  • 708
  • 1
  • 13
  • 33
2
votes
1 answer

Why 'active_record.mass_assignment_sanitizer = :strict' in rails 3.2?

By default, rails 3.2 sets active_record.mass_assignment_sanitizer = :strict in config/environments/development.rb. (See railcasts episode http://railscasts.com/episodes/318-upgrading-to-rails-3-2). Here it is: # Raise exception on mass assignment…
user938363
  • 9,990
  • 38
  • 137
  • 303
2
votes
1 answer

Rails 4 on Heroku with 'protected_attributes' gem

I don't know where else to turn with this: I have spent many hours on my project, a recruiting events website for college students, but have reached quite the impasse. In short, I plodded along in localhost - adding components like Devise; Omniauth…
mecampbellsoup
  • 1,260
  • 18
  • 16
2
votes
1 answer

Mass Assignment in model and rake tasks in rails4

I recently upgraded my app from rails 3.2.13 to 4. I have been moving all mass assignment code using attr_accessible in models to strong parameters in controller. Some of the code belongs to model so I cant move them inside a controller hence cant…
Vikram3891
  • 713
  • 1
  • 6
  • 15
2
votes
2 answers

Mass assignment error using acts_as_commentable_with_threading

I've been following this tutorial to implement threaded comments with the acts_as_commentable_with_threading gem. However, I seem to be running into a mass assignment error that seems to stem from the way the gem sets up the Comment model, which I'm…
wikichen
  • 2,253
  • 3
  • 18
  • 28
2
votes
3 answers

Can't mass assign protected attributes

I'm creating seed data for one of my tables and whenever I run rake db:seed it gives me the error: Can't mass-assign protected attributes: severity My two models look like class Status < ActiveRecord::Base belongs_to :severity attr_accessible…
xyzjace
  • 432
  • 1
  • 5
  • 16
2
votes
1 answer

How should I protect mass-assignment in Sinatra app with Datamapper?

I have Link model in Sinatra app class Link include DataMapper::Resource has n, :views validates_presence_of :url, message: "You must specify a URL." validates_length_of :url, maximum: 4096, allow_blank: true, message:…
tomekfranek
  • 6,852
  • 8
  • 45
  • 80
2
votes
2 answers

Is it safe to set password field as attr_accessible?

attr_accessible :email, :password, :password_confirmation If not, can you please give example of method which prevents 'undefined' error when attr_accessible is removed.
Joe Half Face
  • 2,303
  • 1
  • 17
  • 45
2
votes
1 answer

Testing scoped mass assignment with RSpec

I have a model with the following mass assignment protection defined as: attr_accessible :attachment, :body, :feed_id attr_accessible :attachment, :body, :feed_id, :approved, :as => :admin The code works as expected in the controller, only…
chrisbulmer
  • 1,237
  • 8
  • 15
1 2 3
21 22