attr_accessible to Strong Parameters

Running Rails 4 with attr_accessible? Upgrade in three safe and easy steps

1

First, log all instances of forbidden attributes. Add to config/application.rb:

config.action_controller.permit_all_parameters = false

And create an initializer config/initializers/forbidden_attributes.rb with:

class ActiveRecord::Base
  protected
  def sanitize_for_mass_assignment_with_forbidden_attributes(*args)
    attributes = args[0]
    if attributes.respond_to?(:permitted?) && !attributes.permitted?
      if Rails.env.development? || Rails.env.test? || ENV["RAISE_FORBIDDEN_ATTRIBUTES"]
        raise ActiveModel::ForbiddenAttributesError
      end
      Rails.logger.warn "Forbidden attributes: #{self.class.name}"
    end
    sanitize_for_mass_assignment_without_forbidden_attributes(*args)
  end
  alias_method_chain :sanitize_for_mass_assignment, :forbidden_attributes
end

2

Fix all instances.

User.create(params[:user])

to

User.create(params.require(:user).permit(:name))

3

Remove:

Published March 31, 2015 · Tweet


You might also enjoy

Hybrid Cryptography on Rails

Securing User Emails in Rails with Lockbox

Argon2 with Devise


All code examples are public domain.
Use them however you’d like (licensed under CC0).