Adds 'sudo' methods to active record classes, allowing you to easily override protected attributes.
This gem is no longer being maintained. With the introduction of strong parameters to Rails, the functionality this gem provides is no longer needed.
Rails: Any version of Rails 2.3.x or Rails 3.x. (Older versions of Rails may work, but have not been tested)
The gem is hosted at rubygems.org and can be installed with: gem install sudo_attributes
ActiveModel provides a convenient way to make your application more secure by using "protected" attributes. Protected attributes are assigned using either attr_protected or attr_accessible. This adds security by preventing mass assignment of attributes when doing things like user.update_attributes(params[:user]). The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:
user = User.find(params[:id])
user.update_attributes(params[:user])
user.admin = true
user.something_else = true
user.saveor the alternative in Rails 3.1:
user.assign_attributes(params[:user], :without_protection => true)
user.saveSudoAttributes adds a few 'sudo' methods to your models, allowing you to override the protected attributes when you know the input can be trusted.
class User < ActiveRecord::Base
attr_protected :admin
end
user = User.find(params[:id])
user.sudo_update_attributes(params[:user])Model.sudo_create - Uses same syntax as Model.create to instantiate and save an object with protected attributes
Model.sudo_create! - Similar to Model.sudo_create, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes
Model.sudo_new - Uses same syntax as Model.new to instantiate, but not save an object with protected attributes
sudo_update_attributes - Uses identical syntax to update_attributes, but overrides protected attributes.
sudo_update_attributes! - Same as sudo_update_attributes, but raises ActiveRecord errors. Same as update_attributes!
Protect an admin boolean attribute
class User < ActiveRecord::Base
attr_protected :admin
endIn your admin controller...
params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)
@user = User.sudo_create(params[:user])
Somewhere else in your admin controller...
params[:user] = {:admin => false, :name => "Pete"}
@user.sudo_update_attributes(params[:user])Copyright (c) 2011 Peter Brown. See LICENSE for details.