Adds 'sudo' methods to active record classes, allowing you to easily override protected attributes.
Rails: Any version of Rails 2.3.x or Rails 3.x. (Older versions of Rails may work, but have not been tested)
The gem is hosted at rubygems.org and can be installed with: gem install sudo_attributes
ActiveModel provides a convenient way to make your application more secure by using "protected" attributes. Protected attributes are assigned using either attr_protected
or attr_accessible
. This adds security by preventing mass assignment of attributes when doing things like user.update_attributes(params[:user])
. The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:
user = User.find(params[:id])
user.update_attributes(params[:user])
user.admin = true
user.something_else = true
user.save
or the alternative in Rails 3.1:
user.assign_attributes(params[:user], :without_protection => true)
user.save
SudoAttributes adds a few 'sudo' methods to your models, allowing you to override the protected attributes when you know the input can be trusted.
class User < ActiveRecord::Base
attr_protected :admin
end
user = User.find(params[:id])
user.sudo_update_attributes(params[:user])
Model.sudo_create
- Uses same syntax as Model.create
to instantiate and save an object with protected attributes
Model.sudo_create!
- Similar to Model.sudo_create
, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes
Model.sudo_new
- Uses same syntax as Model.new
to instantiate, but not save an object with protected attributes
sudo_update_attributes
- Uses identical syntax to update_attributes
, but overrides protected attributes.
sudo_update_attributes!
- Same as sudo_update_attributes, but raises ActiveRecord errors. Same as update_attributes!
Protect an admin boolean attribute
class User < ActiveRecord::Base
attr_protected :admin
end
In your admin controller...
params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)
@user = User.sudo_create(params[:user])
Somewhere else in your admin controller...
params[:user] = {:admin => false, :name => "Pete"}
@user.sudo_update_attributes(params[:user])
Copyright (c) 2011 Peter Brown. See LICENSE for details.