I have a field on my User model that is protected because it determines

Question

0

Asked: June 5, 20262026-06-05T19:17:40+00:00 2026-06-05T19:17:40+00:00

I have a field on my User model that is protected because it determines

0

I have a field on my User model that is protected because it determines clearance level. So it should be left protected and not mass-assignable. So even though attributes are protected by default in 3.2, that is actually the behavior I want.

However, on one controller method, I want to allow a manager to assign this field, for instance on user creation or user update.

How do I allow the assignment of that attribute for specific controller actions?

For example, I have my controller:

# app/controllers/admin/users_controller.rb

def create
    @user = User.new(params[:user])
# ...
end

Now what I would do is exclude clearance from params[:user], but it seems to get filtered out and raise and exception even before that line is reached (I tried putting a debugger right before that line and even comment it out, it still raised an exception).

Where do protected attributes get caught, if not when calling User#new?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-05T19:17:42+00:00

The Rails way to do this would be to assign the attributes without protection or to use an admin role:

@user = User.new
@user.assign_attributes(params[:user], :without_protection => true)
@user.save

However, I found this to be a little tedious so I wrote a gem called sudo_attributes that gives (in my opinion) a better API:

@user = User.sudo_new(params[:user])
@user.save

It mimics all of the Rails instantiation, creation, and updating methods (new, build, create, create!, update_attributes, etc).

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a field on my User model that is protected because it determines

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply