breaking into the unknown…

can’t mass-assign protected attributes

Leave a comment

This is inbuilt security feature introduced by rails. more detail is available here. First try to understand mass assignment. In simple words , It means trying to assign value to multiple attributes at a time. This generally happen when you try to assign value to a objects from params. Let us consider the example below.

Let, our User model have name, age, dob, city fields, role

class User < ActiveRecord::Base # this is our model


class UsersController < ApplicationController

def new

@user =


def create

@user = params[:user] # so here you are trying to assign all the attributes of user with the matching value present in the params. so it will be treated as mass assignment

@user.age = params[:user][:age] # This will be treated as simple assignment as you are assigning it explicitly

@user.role = “admin “# this is also simple assignment # this will throw mass assignment error for name , dob and city as you are trying to mass assign that from params




whatever fields you want to expose to users i,e want to get from users in form of params, should be defined as attr_accessible in model. Thus we will define the fields name, city, dob, age as attribute_accessible in our user model. We will left out role from this list as we do not want user to set that role. You can see that role in create method is not taken from params but added directly.

class User < ActiveRecord::Base # this is our model
attr_accessible :name, :age, :city, :dob

NOTE : This is known as white listing of attributes i,e you list all the attribute which you think is safe to expose to users.


The main purpose to prevent mass assignment is to prevent user from changing the unauthorized field, say in above case if mass assignment approach is not supported by rails, a user may have edited the form he is filling and added a new text field for role and passed admin value to that and without your knowledge he will become admin of your application. Thus, to prevent this mass assignment security is part of rails. only there is difference in the way it is implemented in older version and the version after RAILS3. The two approach are.


It is done by attr_protected keyword, so we can write our above model code as

class User < ActiveRecord::Base # this is our model
attr_protected :role

It means that, only this attribute is protected i,e can’t mass assigned but all other are open to user. So it secure the role field from users as it has to be assigned explicitly. But problem with this that many time you introduce new field to your model and if you forget to add it to attr_protected list it will become available to user for tampering, however sensitive it may be. So this flaw is corrected with white listing in rails3


It is achieved with attr_accessible keyword i,e only those attributes in this list will be available to a user all other can’t. Thus, it is more secure. You keep adding the attribute to it which you feel is safe while all other will remain protected by default.

Author: arunyadav4u

over 7 years experience in web development with Ruby on Rails.Involved in all stage of development lifecycle : requirement gathering, planing, coding, deployment & Knowledge transfer. I can adept to any situation, mixup very easily with people & can be a great friend.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s