Adds 'sudo' methods to active record classes, allowing you to easily override protected attributes.

Rails: Any version of Rails 2.3.x or Rails 3.x. (Older versions of Rails may work, but have not been tested)

The gem is hosted at rubygems.org and can be installed with: gem install sudo_attributes

ActiveModel provides a convenient way to make your application more secure by using "protected" attributes. Protected attributes are assigned using either attr_protected or attr_accessible. This adds security by preventing mass assignment of attributes when doing things like user.update_attributes(params[:user]). The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:

user = User.find(params[:id])
user.update_attributes(params[:user])
user.admin = true
user.something_else = true
user.save

or the alternative in Rails 3.1:

user.assign_attributes(params[:user], :without_protection => true)
user.save

SudoAttributes adds a few 'sudo' methods to your models, allowing you to override the protected attributes when you know the input can be trusted.

class User < ActiveRecord::Base
  attr_protected :admin
end

user = User.find(params[:id])
user.sudo_update_attributes(params[:user])

Model.sudo_create - Uses same syntax as Model.create to instantiate and save an object with protected attributes

Model.sudo_create! - Similar to Model.sudo_create, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes

Model.sudo_new - Uses same syntax as Model.new to instantiate, but not save an object with protected attributes

sudo_update_attributes - Uses identical syntax to update_attributes, but overrides protected attributes.

sudo_update_attributes! - Same as sudo_update_attributes, but raises ActiveRecord errors. Same as update_attributes!

Protect an admin boolean attribute

class User < ActiveRecord::Base
  attr_protected :admin
end

In your admin controller...

params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)

@user = User.sudo_create(params[:user])

Somewhere else in your admin controller...

params[:user] = {:admin => false, :name => "Pete"}

@user.sudo_update_attributes(params[:user])

Copyright (c) 2011 Peter Brown. See LICENSE for details.