Peter Brown
2012-Aug-13 02:32 UTC
Any interest in "sudo" methods for bypassing mass-assignment?
I wrote a gem <https://github.com/beerlington/sudo_attributes> a while ago that adds sudo_* methods to ActiveRecord models to bypass mass-assignment protection, and I was curious if there would be any interest in adding similar functionality to Rails. I find it really useful when you want to quickly create a few records in the console, but can''t remember the syntax for "without_protection" or which role can update which attributes. Other potential uses could be for seed data and tests. Here are a few examples of how you might use it: # Given a User class class User < ActiveRecord::Base attr_accessible :nameend # Creating a new user> User.sudo_create(name: ''Pete'', email: ''email@example.com'', account: Account.first) # Updating an existing user> new_account = Account.last > User.find(1).sudo_update_attributes(account: new_account)-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/D1l2gNvoaoQJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Godfrey Chan
2012-Aug-13 02:39 UTC
Re: Any interest in "sudo" methods for bypassing mass-assignment?
> but can''t remember the syntax for "without_protection"At the risk of asking the obvious question, what exactly is so confusing about.. User.create({name: ''Pete'', email: ''email@example.com'', account: Account.first}, without_protection: true) and… User.find(1).update_attributes({account: new_account}, without_protection: true) ? Maybe it''s just me, but the differences between this and sudo_* seems so minimal that I don''t think it''s worth it. Godfrey -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Rafael Mendonça França
2012-Aug-13 02:45 UTC
Re: Any interest in "sudo" methods for bypassing mass-assignment?
We are going to remove mass-assignment protection in the model layer from the core so I think we are not interested. Rafael Mendonça França http://twitter.com/rafaelfranca https://github.com/rafaelfranca On Sun, Aug 12, 2012 at 11:39 PM, Godfrey Chan <godfreykfc@gmail.com> wrote:> but can''t remember the syntax for "without_protection" > > > At the risk of asking the obvious question, what exactly is so confusing > about.. > > User.create({name: ''Pete'', email: ''email@example.com'', account: Account.first}, without_protection: true) > > and… > > User.find(1).update_attributes({account: new_account}, without_protection: true) > > ? > > Maybe it''s just me, but the differences between this and sudo_* seems so > minimal that I don''t think it''s worth it. > > Godfrey > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Peter Brown
2012-Aug-13 03:04 UTC
Re: Any interest in "sudo" methods for bypassing mass-assignment?
Rafael, That''s good to know, thanks! On Sunday, August 12, 2012 10:45:53 PM UTC-4, Rafael Mendonça França wrote:> > We are going to remove mass-assignment protection in the model layer from > the core so I think we are not interested. > > Rafael Mendonça França > http://twitter.com/rafaelfranca > https://github.com/rafaelfranca > > > > On Sun, Aug 12, 2012 at 11:39 PM, Godfrey Chan <godfr...@gmail.com<javascript:> > > wrote: > >> but can''t remember the syntax for "without_protection" >> >> >> At the risk of asking the obvious question, what exactly is so confusing >> about.. >> >> User.create({name: ''Pete'', email: ''em...@example.com <javascript:>'', account: Account.first}, without_protection: true) >> >> and… >> >> User.find(1).update_attributes({account: new_account}, without_protection: true) >> >> ? >> >> Maybe it''s just me, but the differences between this and sudo_* seems so >> minimal that I don''t think it''s worth it. >> >> Godfrey >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To post to this group, send email to rubyonra...@googlegroups.com<javascript:> >> . >> To unsubscribe from this group, send email to >> rubyonrails-co...@googlegroups.com <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/Xy6meZA2JuEJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Steve Klabnik
2012-Aug-13 03:27 UTC
Re: Any interest in "sudo" methods for bypassing mass-assignment?
> That''s good to know, thanks!https://github.com/rails/strong_parameters for more deets. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.