Mass Assigning Inheritance Column Values for ActiveRecord STI with Rails

One of the security features in Rails is to prevent mass assigning values for certain columns (when passing a hash to #new, #attributes=, and #update_attributes).  This is to ensure that a malicious user can't exploit the system by passing in values for certain attributes you really don't want them to change.

In Rails 2.1, one of the attributes that will always be protected from mass assignment is the inheritance_column.  In most cases, protecting inheritance_column; is desired because we don't want (for example) someone to change their user type by specifying type = 'Admin' when posting a form.  Despite this, there are some cases where we do want to allow the user to specify the type.

However, even if we specify #attr_accessible on the inheritance_column, we will not be able to mass assign a value to it.  Rails will not allow it unless we put in a little hack to work around this feature.

Let's start with an example; say we have an STI relationship like the following:

class Animal < ActiveRecord::Base; end
class Dog < Animal; end
class Cat < Animal; end
class Smurf < Animal; end

We have a form where the user enters in some basic information about their animal and chooses the type they want.  We don't want to limit what type of animal the user can choose, so we want to allow them to set the type themselves.  Instead of explicitly setting the type separately from any mass assignment, we can override Rails' protection for the Animal class.

class Animal < ActiveRecord::Base
  private
  def attributes_protected_by_default
    default = super
    default.delete self.class.inheritance_column
    default
  end
end

What this code does is override the method which Rails uses to specify which columns should never be mass assignable. We get Rails' array of default protected attributes, and just remove the inheritance_column from the array.  Now, we can pass the type into all the mass assigning methods and not have to set it separately.

Comments: 3 so far

  1. Anthony, thanks so much. This solved my exact problem very neatly. I am using this with the StreamLined framework.

    Comment by Mike Berrow, Monday, November 3, 2008 @ 4:53 am

  2. Thanks a lot, I was looking exactly for that :)

    Comment by Jacek Becela, Friday, December 5, 2008 @ 7:38 am

  3. Woo hoo, worked like a charm! Thanks!

    Comment by Dan, Monday, March 9, 2009 @ 2:38 pm

Leave a comment

Powered by WP Hashcash

About Pathfinder

Follow the Blog

    Get a monthly update on best practices for delivering successful software.

    Subscribe via email

      

    Subscribe via RSS      RSS icon

Topics

Search

WordPress

Comments about this site: info@pathf.com