expose accessible_attributes directly, deprecate attr_accessible and attr_protected?

Would be nice to allow redefinition of accessible_attributes via self.accessible_attributes in models.

The problem with attr_accessible is that it is cumulative/additive, but it could be interpreted by the developer as redefinition, and that could lead to nasty security issues.

I think that attr_accessible and attr_protected should go the way of set_primary_key and set_table_name (which both got deprecated and changed to self.primary_key= and self.table_name=), such that self.accessible_attributes could be manipulated in a more well-defined way.

The following would be equivalent to attr_accessible :name, :status:

self.accessible_attributes[:default] += :name, :status

The following would be equivalent to attr_protected :name, :status:

self.accessible_attributes[:default] -= :name, :status

The following would be redefining the whitelist, similar to what can be done with self._accessible_attributes[:default] = :name, :status currently (even if you shouldn’t be messing with internals):

self.accessible_attributes[:default] = :name, :status

It’s too bad that += can’t be defined on the self.accessible_attributes Hash instance, because it would be nice not to have to specify the role if it is :default. I know mass assignment security is somewhat being taken off of the stove with strong_parameters being integrated, but it’s still there.

What do you think?

Sorry I left out the 's on these, because originally was thinking there had to be a way to redefine += so could take *args, and use options = args.extract_options!, args becomes the array, etc.

Please see https://github.com/rails/rails/pull/7251

Rafael Mendonça França http://twitter.com/rafaelfranca

https://github.com/rafaelfranca

Thanks! That is good to have a link to.

Looks like that gem isn’t even currently in: https://github.com/rails/rails/blob/integrate-strong_parameters/Gemfile

I guess that means mass assignment security is not only deprecated now, it is deprecated and going to be removed completely in Rails 4. (Did I get that right?) Maybe I’d already read that. If so, sorry for mentioning here again.

Would this be a good request to move to the GitHub - rails/protected_attributes: Protect attributes from mass-assignment in ActiveRecord models. gem, or is mass assignment so effectively dead that it won’t have any new behavior added that isn’t required, and that gem is the nursing home for attr_accessible/protected as it waits to die?

Yes it was removed and if you want to use attr_accessible and friends you have to add the protected_attributes in your Gemfile.

We will support protected_attributes until the 4.1 release and after that we will drop support. So I don’t think we would add/change features in that gem.

Rafael Mendonça França http://twitter.com/rafaelfranca https://github.com/rafaelfranca