For two years now I've been using my mass_assignment plugin to improve the security and readability of my Ruby on Rails code. Today I decided to get with the program and make it a gem. Since it's been stable and production-tested for a long time now I think it deserves the 1.0 version.
What It Is
A robust mass assignment method with a small and obvious syntax.
The Traditional Approach
The normal mass assignment protection comes from attr_protected and attr_accessible. There are a few problems with this approach:
- Often never implemented, leaving a wide-open system. Rails blogs are full of dire warnings about forgetting your attr_protected.
- Once implemented, easy to forget when adding new attributes, leading to bugs (in an attr_accessible system) or security holes (in an attr_protected system).
- Restricts coding syntax. You can’t easily use update_attributes() or attributes= because your whitelist/blacklist gets in your own way.
- Not contextual. The list of allowed attributes can’t change to accomodate different user permissions or situations.
The MassAssignment Approach
This plugin’s solution is to let you specify an obvious and explicit list of allowed attributes when you mass assign attributes.
- The list of allowed attributes is in your controller at calltime, so it’s easier to remember and update (it’s not a hidden, magical system).
- The list of allowed attributes is optional, so it doesn’t get in your way. You can use update_attributes() and attributes= for your own code again.
- Assignment permissions are enforced by the controller, where permissions belong. You can evaluate the current user or current situation and write the whitelist on the fly.
See the README on github for examples and more.