I have just started coding with rails. I am using:
Rails 3.2.8
ruby 1.9.3p194
I created a migration and a corresponding model, all inside the files they should be ( I present them all together for conciseness):
class CreateMovies < ActiveRecord::Migration
def up
create_table 'movies' do |t|
t.string 'title'
t.timestamps
end
end
def down
drop_table 'movies'
end
end
class Movie < ActiveRecord::Base
end
So, I would like to enter the ‘rails console’ and play around with the data base as a learning process.
This is what I enter and the error message I got:
1.9.3p194 :021 > k = Movie.new(:title => 'coco')
ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes: title
I have to say that the above statement works fine if I append :without_protection => true.
I looked up about mass-assignment and I understood that this is something we should be very careful about. BUT, it appears that rails activated mass-assignment protection by default. In my case I would like to create entries using hashes and this is extremely useful for debugging and learning!
Is there a way to de-activate this kind of protection? I would like to have public attributes by default! How can I achieve that ?
It is weird that, in my web research, I concluded that this feature is not there by default i.e. ActiveModel does not create protected attributes by default. (http://stackoverflow.com/questions/3764899/is-there-a-way-to-make-rails-activerecord-attributes-private)
But in my case all attributes are private !
In my code, in the future, should I try to assign all attributes individually? This will be tedious. Is there a better way to have both security and avoid this tedious process ?
Thank you in advance from the depths of my heart!
No! Please don’t de-activate this protection. This is extremely helpful in stopping people from being able to set attributes they shouldn’t. Turning it off is an extremely bad idea and I would very, very strongly advise against it.
You should be doing this in your model instead:
This would make just the
titleattribute for yourMovieobject assignable, with nothing else able to be assigned without thewithout_protectionflag or theconfig.active_record.whitelist_attributessetting set tofalse.If you don’t care to heed this warning then Murifox’s answer is the one you want.
Imagine a situation where you have a form where a user is able to update their password. Innocent enough. Now imagine that you’ve turned off attribute protection and that your
userstable has anadminfield on it.It’s actually incredibly easy for someone to save the HTML of the page to their computer, add in a field for
adminand then set that to “on” or whatever, and then blammo, they’re an admin for your site.The new admin for your site quickly and effectively runs a coup d’état on your application, making what they claim to be “dissident data” disappear. Over future years, this brutal dictator somehow amasses enough nuclear material to form a nuclear weapon. He doesn’t get along well with one of the lesser-known countries, let’s say Suriname, and launches an attack with his army. How the army came to be is up to your imagination.
The hundreds of thousands of Surinamese (I had to look that up) are either killed or displaced into neighbouring countries, mainly French Guinea and Guyana. Some attempt to make it to Brazil, one of, if not the greatest country in South America, only to be killed by the sheer distance of the hike or creatures in the jungle.
The Surinamese Army, what remains of it, holds out against the dictator and his army. The stalemate is broken by the use of the nuclear weapon and the dictator adds Suriname and the lives of its populace to the list of things that he has ruined. The list is quite short: the only other thing he has ruined is your application.
Do you want that on your conscious?! Why won’t somebody think of the
Surinameseattributes?!Please, I beg, use
attr_accessible. Learn to love it, or else the consequences could be quite dire.