ActiveRecord Mass Assignment

Even you haven’t heard of mass assignment, it already exists in your first Rails generated scaffold code.

def create
  @comment = Comment.new(params[:comment])
  ..
end

def update
  ..
  @comment.update_attributes(params[:comment])
  ..
end

Why knowing mass assignment is important?

By default, mass assignment opens up an undesirable security hole, by allowing web clients to update any attributes they passing in, including attributes like created_at.

For details, you can read:

• Ruby On Rails Security Guide - Mass Assignment
• Rail Spikes: Is your Rails application safe?

Mass assignment methods

There are a few ActiveRecord methods that accept mass assignment:

• new
• create
• attributes=
• update_attributes

Using any of these methods, means you are now responsible for the safety of the web application.

Minimal protection

To use mass assignment safely, we want to specify exactly which attributes allowed to be updated.

1. Define attr_accessible on every model

attr_accessible defines a white-list of attributes that can be updated during mass assignment.

class Comment < ActiveRecord::Base
  attr_accessible :title, :content
end

2. Enforce attr_accessible usage

You may set the white-list default to empty. This forces you to define the whitelist explicitly on a model, before mass assignment can be used.

# config/initializer/enforce_attr_accessible.rb

ActiveRecord::Base.send(:attr_accessible, nil)