Mass Assignment Security with Mongoid

July 16, 2012 at 1:06 pm

EDIT – THIS POST WAS RETARDED, AND COMBINED TWO MUTUALLY EXCLUSIVE WAYS OF DEALING WITH THINGS.

You only ever need one OR the other of these approaches – Strong Parameters does not work WITH attr_accessible – if you want to use it, you need to remove the mod below for attr_accessible by default, just like you set whitelist_attributes to false with ActiveRecord.

This is a follow up to this post, which dealt with Mass Assignment Security in ActiveRecord.

Mongoid doesn’t support setting config.active_record.whitelist_attributes = true to enable Mass Assignment Security, so we need a way around this. Essentially, all this switch does is add attr_accessible nil to your models, making you declare each field that you wish to be eligible for Mass Assignment. We can do this very simply with Mongoid by adding an Initializer.

module Mongoid
module WhitelistAttributes
extend ActiveSupport::Concern

included do
attr_accessible nil
end
end

module Document
include WhitelistAttributes
end
end

module Mongoid

module WhitelistAttributes

extend ActiveSupport::Concern

included do

attr_accessible nil

end

module Document

include WhitelistAttributes

end

That’s all you need to do – remove the line config.active_record.whitelist_attributes = true altogether from your application.rb, and you are good to go.

http://twitter.com/jardilase Juan Ardila

Thank you very much John but after install the gem strong_parameters, and add this fix for mongoid I get:

WARNING: Can’t mass-assign protected attributes: title, description, category.

I have added in my controller:

private
def board_params
params.required(:board).permit(:title, :description, :category)

end

What am I doing wrong?

Thank you!

http://jgwmaxwell.com/ John Maxwell

Do you have

include ActiveModel::ForbiddenAttributesProtection

in your Model?
http://jgwmaxwell.com/ John Maxwell

Do you have

include ActiveModel::ForbiddenAttributesProtection

in your Models? You still need that, like the last article

http://twitter.com/jardilase Juan Ardila

Yes I have added include ActiveModel::ForbiddenAttributesProtection and now this message has disappeared. But the object is still not created. I have added params[:board_params] instead params[:board] to the action to create:

def create
@board = current_user.boards.new(params[:board_params])
respond_to do |format|
if @board.save
.
.
.
end
end

I don’t find the error…sorrry. Thank you very much again!

http://jgwmaxwell.com/ John Maxwell

Don’t you want to call:

@board = current_user.boards.new(board_params)

rather than params[:board_params] if your method is

def board_paramsparams.required(:board).permit(:title, :description, :category)endLike you had in the first comment?If that doesn’t fix it, is there any chance of creating a Gist or a Pastie and letting me see the Controller/Model?

It works as expected for me so hopefully it’s just a quick fix somewhere.

http://twitter.com/jardilase Juan Ardila

Impossible for me . I am using simple_form gem for forms. I paste my model in http://pastie.org/4267096 and my controller in http://pastie.org/4267114. My problem is in create action in controller. Thank you very much John!

http://jgwmaxwell.com/ John Maxwell

I’m being a plonker and giving you bad advice here. You are trying to combine two approaches that don’t need to overlap. If you want to use Strong Parameters, don’t use this patch, you don’t want attr_accessible as well as ForbiddenAttributesProtection in the same model.

Remove the patch, make sure you’ve got the config.active_record.whitelist_attributes line out of application.rb and you should already be working. Sorry for the wild goose chase, head not switched on today.

http://twitter.com/jardilase Juan Ardila

Thank you very much John. I had remove the gem strong_parameters and I have added this fix for mongoid. I have added to my model:

attr_accessible :title, :description, :category

Now it does works fine .

Thank you very much again John.

Mass Assignment Security with Mongoid

Share:

About Me

Sign-up for the Newsletter

Recent Posts

Latest Tweets

Archives

Categories

Recent Comments