expose accessible_attributes directly, deprecate attr_accessible and attr_protected?

Gary_Weaver · September 21, 2012, 4:47pm

Would be nice to allow redefinition of accessible_attributes via self.accessible_attributes in models.

The problem with attr_accessible is that it is cumulative/additive, but it could be interpreted by the developer as redefinition, and that could lead to nasty security issues.

I think that attr_accessible and attr_protected should go the way of set_primary_key and set_table_name (which both got deprecated and changed to self.primary_key= and self.table_name=), such that self.accessible_attributes could be manipulated in a more well-defined way.

The following would be equivalent to attr_accessible :name, :status:

self.accessible_attributes[:default] += :name, :status

The following would be equivalent to attr_protected :name, :status:

self.accessible_attributes[:default] -= :name, :status

The following would be redefining the whitelist, similar to what can be done with self._accessible_attributes[:default] = :name, :status currently (even if you shouldn’t be messing with internals):

self.accessible_attributes[:default] = :name, :status

It’s too bad that += can’t be defined on the self.accessible_attributes Hash instance, because it would be nice not to have to specify the role if it is :default. I know mass assignment security is somewhat being taken off of the stove with strong_parameters being integrated, but it’s still there.

What do you think?

Gary_Weaver · September 21, 2012, 4:50pm

Sorry I left out the 's on these, because originally was thinking there had to be a way to redefine += so could take *args, and use options = args.extract_options!, args becomes the array, etc.

rafaelfranca · September 21, 2012, 5:16pm

Please see https://github.com/rails/rails/pull/7251

Rafael Mendonça França http://twitter.com/rafaelfranca

https://github.com/rafaelfranca

Gary_Weaver · September 21, 2012, 8:21pm

Thanks! That is good to have a link to.

Looks like that gem isn’t even currently in: https://github.com/rails/rails/blob/integrate-strong_parameters/Gemfile

I guess that means mass assignment security is not only deprecated now, it is deprecated and going to be removed completely in Rails 4. (Did I get that right?) Maybe I’d already read that. If so, sorry for mentioning here again.

Would this be a good request to move to the GitHub - rails/protected_attributes: Protect attributes from mass-assignment in ActiveRecord models. gem, or is mass assignment so effectively dead that it won’t have any new behavior added that isn’t required, and that gem is the nursing home for attr_accessible/protected as it waits to die?

rafaelfranca · September 21, 2012, 8:33pm

Yes it was removed and if you want to use attr_accessible and friends you have to add the protected_attributes in your Gemfile.

We will support protected_attributes until the 4.1 release and after that we will drop support. So I don’t think we would add/change features in that gem.

Rafael Mendonça França http://twitter.com/rafaelfranca https://github.com/rafaelfranca

Topic		Replies	Views
attr_accessible question rubyonrails-talk	2	82	January 29, 2010
cattr_accessor and ActiveRecord attribute mass assignment rubyonrails-talk	8	121	February 1, 2007
Model.new(params) can be dangerous? rubyonrails-talk	1	186	July 11, 2008
Proposition: Nested attributes and attr_accessible rubyonrails-core	5	325	January 29, 2010
How to selectively ignore some model validations? rubyonrails-talk	6	356	April 22, 2009

expose accessible_attributes directly, deprecate attr_accessible and attr_protected?

Related topics

More Resources