Any interest in "sudo" methods for bypassing mass-assignment?

I wrote a gem a while ago that adds sudo_* methods to ActiveRecord models to bypass mass-assignment protection, and I was curious if there would be any interest in adding similar functionality to Rails. I find it really useful when you want to quickly create a few records in the console, but can’t remember the syntax for “without_protection” or which role can update which attributes. Other potential uses could be for seed data and tests.

Here are a few examples of how you might use it:

# Given a User class
class User < ActiveRecord::Base
  attr_accessible :name
end

# Creating a new user
> User.sudo_create(name: 'Pete', email: 'email@example.com', account: Account.first)

# Updating an existing user
> new_account = Account.last
> User.find(1).sudo_update_attributes(account: new_account)

but can’t remember the syntax for “without_protection”

At the risk of asking the obvious question, what exactly is so confusing about…

User.create({name: 'Pete', email: 'email@example.com', account: Account.first}, without_protection: true)

and…

User.find(1).update_attributes({account: new_account}, without_protection: true)

?

Maybe it’s just me, but the differences between this and sudo_* seems so minimal that I don’t think it’s worth it.

Godfrey

We are going to remove mass-assignment protection in the model layer from the core so I think we are not interested.

Rafael Mendonça França http://twitter.com/rafaelfranca

https://github.com/rafaelfranca

Rafael,

That’s good to know, thanks!

That's good to know, thanks!

GitHub - rails/strong_parameters: Taint and required checking for Action Pack and enforcement in Active Model for more deets.