attr_accessible to Strong Parameters

Running Rails 4 with attr_accessible? Upgrade in three safe and easy steps

1

First, log all instances of forbidden attributes. Add to config/application.rb:

config.action_controller.permit_all_parameters = false

And create an initializer config/initializers/forbidden_attributes.rb with:

class ActiveRecord::Base
  protected
  def sanitize_for_mass_assignment_with_forbidden_attributes(*args)
    attributes = args[0]
    if attributes.respond_to?(:permitted?) && !attributes.permitted?
      if Rails.env.development? || Rails.env.test? || ENV["RAISE_FORBIDDEN_ATTRIBUTES"]
        raise ActiveModel::ForbiddenAttributesError
      end
      Rails.logger.warn "Forbidden attributes: #{self.class.name}"
    end
    sanitize_for_mass_assignment_without_forbidden_attributes(*args)
  end
  alias_method_chain :sanitize_for_mass_assignment, :forbidden_attributes
end

2

Fix all instances.

User.create(params[:user])

to

User.create(params.require(:user).permit(:name))

3

Remove:

Published March 31, 2015 · Tweet


You might also enjoy

Strong Encryption Keys for Rails

Why and How to Keep Your Decryption Keys Off Web Servers

Argon2 with Devise


All code examples are public domain.
Use them however you’d like (licensed under CC0).