attr_accessible to Strong Parameters

Running Rails 4 with attr_accessible? Upgrade in three safe and easy steps

1

First, log all instances of forbidden attributes. Add to config/application.rb:

config.action_controller.permit_all_parameters = false

And create an initializer config/initializers/forbidden_attributes.rb with:

class ActiveRecord::Base
  protected
  def sanitize_for_mass_assignment_with_forbidden_attributes(*args)
    attributes = args[0]
    if attributes.respond_to?(:permitted?) && !attributes.permitted?
      if Rails.env.development? || Rails.env.test? || ENV["RAISE_FORBIDDEN_ATTRIBUTES"]
        raise ActiveModel::ForbiddenAttributesError
      end
      Rails.logger.warn "Forbidden attributes: #{self.class.name}"
    end
    sanitize_for_mass_assignment_without_forbidden_attributes(*args)
  end
  alias_method_chain :sanitize_for_mass_assignment, :forbidden_attributes
end

2

Fix all instances.

User.create(params[:user])

to

User.create(params.require(:user).permit(:name))

3

Remove:

Published March 31, 2015


You might also enjoy

Installing Presto for Mac

Learn Data Science

Startup Security


All code examples are public domain.
Use them however you’d like (licensed under CC0).