{"id":13682523,"url":"https://github.com/rails/protected_attributes","last_synced_at":"2025-04-07T23:08:50.198Z","repository":{"id":4534683,"uuid":"5674986","full_name":"rails/protected_attributes","owner":"rails","description":"Protect attributes from mass-assignment in ActiveRecord models.","archived":false,"fork":false,"pushed_at":"2023-08-25T14:41:23.000Z","size":165,"stargazers_count":229,"open_issues_count":2,"forks_count":92,"subscribers_count":28,"default_branch":"master","last_synced_at":"2024-10-29T14:14:59.297Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2012-09-04T16:08:45.000Z","updated_at":"2024-10-29T12:41:27.000Z","dependencies_parsed_at":"2024-01-13T03:01:10.727Z","dependency_job_id":"f8becb0b-e80f-4ad7-bbd8-63699ee1cd29","html_url":"https://github.com/rails/protected_attributes","commit_stats":{"total_commits":157,"total_committers":35,"mean_commits":4.485714285714286,"dds":0.7707006369426752,"last_synced_commit":"a1e6dfd39cc106939a2f96ec98cfff4950eb3e7e"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Fprotected_attributes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Fprotected_attributes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Fprotected_attributes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Fprotected_attributes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/protected_attributes/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247744334,"owners_count":20988783,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:47.483Z","updated_at":"2025-04-07T23:08:50.169Z","avatar_url":"https://github.com/rails.png","language":"Ruby","readme":"# Protected Attributes\n\n[![Build Status](https://api.travis-ci.org/rails/protected_attributes.svg?branch=master)](https://travis-ci.org/rails/protected_attributes)\n\nProtect attributes from mass-assignment in Active Record models.\n\nThis plugin adds the class methods `attr_accessible` and `attr_protected` to your models to be able to declare white or black lists of attributes.\n\nNote: This plugin will be officially supported until the release of Rails 5.0.\n\n## Installation\n\nAdd this line to your application's `Gemfile`:\n\n    gem 'protected_attributes'\n\nAnd then execute:\n\n    bundle install\n\n## Usage\n\nMass assignment security provides an interface for protecting attributes from end-user injection. This plugin provides two class methods in Active Record classes to control access to their attributes. The `attr_protected` method takes a list of attributes that will be ignored in mass-assignment. \n\nFor example:\n```ruby\nattr_protected :admin\n```\n`attr_protected` also optionally takes a role option using `:as` which allows you to define multiple mass-assignment groupings. If no role is defined then attributes will be added to the `:default` role.\n\n```ruby\nattr_protected :last_login, :as =\u003e :admin\n```\nA much better way, because it follows the whitelist-principle, is the `attr_accessible` method. It is the exact opposite of `attr_protected`, because it takes a list of attributes that will be mass-assigned if present. Any other attributes will be ignored. This way you won’t forget to protect attributes when adding new ones in the course of development. Here is an example:\n\n```ruby\nattr_accessible :name\nattr_accessible :name, :is_admin, :as =\u003e :admin\n```\n\nIf you want to set a protected attribute, you will have to assign it individually:\n\n```ruby\nparams[:user] # =\u003e {:name =\u003e \"owned\", :is_admin =\u003e true}\n@user = User.new(params[:user])\n@user.is_admin # =\u003e false, not mass-assigned\n@user.is_admin = true\n@user.is_admin # =\u003e true\n```\n\nWhen assigning attributes in Active Record using `attributes=` the `:default` role will be used. To assign attributes using different roles you should use `assign_attributes` which accepts an optional `:as` options parameter. If no `:as` option is provided then the `:default` role will be used. \n\nYou can also bypass mass-assignment security by using the `:without_protection` option. Here is an example:\n\n```ruby\n@user = User.new\n\n@user.assign_attributes(:name =\u003e 'Josh', :is_admin =\u003e true)\n@user.name # =\u003e Josh\n@user.is_admin # =\u003e false\n\n@user.assign_attributes({ :name =\u003e 'Josh', :is_admin =\u003e true }, :as =\u003e :admin)\n@user.name # =\u003e Josh\n@user.is_admin # =\u003e true\n\n@user.assign_attributes({ :name =\u003e 'Josh', :is_admin =\u003e true }, :without_protection =\u003e true)\n@user.name # =\u003e Josh\n@user.is_admin # =\u003e true\n```\n\nIn a similar way, `new`, `create`, `create!`, `update_attributes` and `update_attributes!` methods all respect mass-assignment security and accept either `:as` or `:without_protection` options. For example:\n\n```ruby\n@user = User.new({ :name =\u003e 'Sebastian', :is_admin =\u003e true }, :as =\u003e :admin)\n@user.name # =\u003e Sebastian\n@user.is_admin # =\u003e true\n\n@user = User.create({ :name =\u003e 'Sebastian', :is_admin =\u003e true }, :without_protection =\u003e true)\n@user.name # =\u003e Sebastian\n@user.is_admin # =\u003e true\n```\n\nBy default the gem will use the strong parameters protection when assigning attribute, unless your model has `attr_accessible` or `attr_protected` calls.\n\n### Errors\n\nBy default, attributes in the params hash which are not allowed to be updated are just ignored. If you prefer an exception to be raised configure:\n\n```ruby\nconfig.active_record.mass_assignment_sanitizer = :strict\n```\n\nAny protected attributes violation raises `ActiveModel::MassAssignmentSecurity::Error` then.\n\n## Contributing\n\n1. Fork it\n2. Create your feature branch (`git checkout -b my-new-feature`)\n3. Commit your changes (`git commit -am 'Add some feature'`)\n4. Push to the branch (`git push origin my-new-feature`)\n5. Create new Pull Request\n","funding_links":[],"categories":["Ruby"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frails%2Fprotected_attributes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frails%2Fprotected_attributes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frails%2Fprotected_attributes/lists"}