attr_accessible to Strong Parameters

Running Rails 4 with attr_accessible? Upgrade in three safe and easy steps

1

First, log all instances of forbidden attributes. Add to config/application.rb:

config.action_controller.permit_all_parameters = false

And create an initializer config/initializers/forbidden_attributes.rb with:

class ActiveRecord::Base
  protected
  def sanitize_for_mass_assignment_with_forbidden_attributes(*args)
    attributes = args[0]
    if attributes.respond_to?(:permitted?) && !attributes.permitted?
      if Rails.env.development? || Rails.env.test? || ENV["RAISE_FORBIDDEN_ATTRIBUTES"]
        raise ActiveModel::ForbiddenAttributesError
      end
      Rails.logger.warn "Forbidden attributes: #{self.class.name}"
    end
    sanitize_for_mass_assignment_without_forbidden_attributes(*args)
  end
  alias_method_chain :sanitize_for_mass_assignment, :forbidden_attributes
end

2

Fix all instances.

User.create(params[:user])

to

User.create(params.require(:user).permit(:name))

3

Remove:

Published March 31, 2015


You might also enjoy

Startup Security

Introducing Archer: Rails Console History for Heroku, Docker, and More

Error Reporting in R


All code examples are public domain.
Use them however you’d like (licensed under CC0).