Any interest in "sudo" methods for bypassing mass-assignment?

I wrote a gem a while ago that adds sudo_* methods to ActiveRecord models to bypass mass-assignment protection, and I was curious if there would be any interest in adding similar functionality to Rails. I find it really useful when you want to quickly create a few records in the console, but can’t remember the syntax for “without_protection” or which role can update which attributes. Other potential uses could be for seed data and tests.

Here are a few examples of how you might use it:

# Given a User class
class User < ActiveRecord::Base
  attr_accessible :name

# Creating a new user
> User.sudo_create(name: 'Pete', email: '', account: Account.first)
# Updating an existing user
> new_account = Account.last
> User.find(1).sudo_update_attributes(account: new_account)

but can’t remember the syntax for “without_protection”

At the risk of asking the obvious question, what exactly is so confusing about…

User.create({name: 'Pete', email: '', account: Account.first}, without_protection: true)


User.find(1).update_attributes({account: new_account}, without_protection: true)


Maybe it’s just me, but the differences between this and sudo_* seems so minimal that I don’t think it’s worth it.


We are going to remove mass-assignment protection in the model layer from the core so I think we are not interested.

Rafael Mendonça França


That’s good to know, thanks!

That's good to know, thanks! for more deets.