Using Rails 3.1 :as => :admin for updating attributes protected by attr_accessible

Asked 9/1, 2012 at 23:51 Answered 12/9, 2014 at 0:43

Solved ruby-on-rails ruby-on-rails-3.1 mass-assignment attr-accessible

After reading about attr_accessible in the Rails 3.1 API, I see that there is an as :admin option in there. I would like to know two things.

If the user has an admin flag, how do does my controller tell my model that the user is an admin.
If the user is an owner, can i specify :as => owner in my model, and once again how does my controller inform my model they are the owner of an item.

Yahoo answered 9/1, 2012 at 23:51 Comment(0)

There is no built-in integration with models; you pass in the role in the assign_attributes call:

@project.assign_attributes(params[:project], :as => :admin)

The :as parameter defaults to :default, and you can pass in any symbol that you want. To integrate this into your User model, you could give it an attribute called role, and then do something like:

@project.assign_attributes(params[:project], :as => current_user.role.to_sym)

You can also bypass the protection using :without_protection:

@project.assign_attributes(params[:project], :without_protection => true)

In a similar way, new, create, create!, update_attributes, and update_attributes! methods all respect mass-assignment security. The Ruby on Rails guide on security has more info.

Damiano answered 10/1, 2012 at 6:56 Comment(1)

I have a question though. I'm upgrading a Rails 4 up to 5 (which was previously on Rails 3. and I came across something like @project.update_attributes(params[:project], :as => current_user.role.to_sym) but but i get an error that says update_attributes accepts only one argument. What happened to the as: :admin part of this code? is it safe to remove it completely? – Menendez 16/6, 2017 at 10:54

For both scenarios, you'd pass it in the same way that you declare it originally. So for example:

class User < ActiveRecord::Base
  attr_accessible :name
  attr_accessible :credit_card, :as => :admin
end

If you did

user = User.new(:name => "John", :credit_card => "1234123412341234")

Then you won't be able to assign the credit_card:

user.attributes # {:name => "John", :credit_card => nil}

However, if you state that it will be :as => :admin then it allows it

user = User.new({:name => "John", :credit_card => "1234123412341234"}, :as => :admin)
user.attributes # {:name => "John", :credit_card => "1234123412341234"}

More information:

http://www.enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

Habituate answered 10/1, 2012 at 6:57 Comment(0)

all the attributes you want to access as a specific user should be defined properly. For example:

    class User < ActiveRecord::Base
    attr_accessible :name
    attr_accessible :credit_card, :as => :admin
    end

This showed error for me. But when i modied it to

    class User < ActiveRecord::Base
    attr_accessible :name
    attr_accessible :name, :credit_card, :as => :admin
    end

This worked fine when i used

    @user.update_attributes(params[:user], :as => :admin)

Grasshopper answered 12/9, 2014 at 0:43 Comment(0)

Recommended topics

Hot tags