arturo icon indicating copy to clipboard operation
arturo copied to clipboard

Published 20 hours ago verified publisher icon zendesk

Rails 4 compatibility issue ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes for Arturo::Feature: deployment_percentage

Open bstrech opened this issue 10 years ago • 7 comments

Creating a new feature doesn't work.

feature = Arturo::Feature.create(:symbol=>:new_one, :deployment_percentage=>0) ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes for Arturo::Feature: deployment_percentage, symbol

In feature.rb attr_accessible :symbol, :deployment_percentage if ActiveRecord::VERSION::MAJOR < 4

We don't have attr_accessible in rails 4 :(

bstrech avatar Sep 12 '14 01:09 bstrech

We'll need to use params.require and .permit in the controller. It'll add some annoying complexity, but it shouldn't be too hard.

jamesarosen avatar Sep 12 '14 02:09 jamesarosen

We often create our features via a migration or seed so that we have them across all of our environments rather than create them via the controller. We only use the controller to change the deployment percentage.

I forgot to mention that we are trying to go with config.active_record.whitelist_attributes = true

bstrech avatar Sep 12 '14 16:09 bstrech

I didn't realize Rails 4 had any support for model-level protection. I thought it had totally moved to the controller in the form of StrongParams. I guess we could try to figure out a better condition than if ActiveRecord::VERSION::MAJOR < 4. Perhaps we can detect whitelist_attributes.

jamesarosen avatar Sep 12 '14 23:09 jamesarosen

Are you including the protected_attributes gem? I can't find anywhere in Rails 4 proper that actually does anything with whitelist_attributes other than just emit warnings.

jamesarosen avatar Sep 14 '14 13:09 jamesarosen

Yes I am using the protected_attributes gem

bstrech avatar Sep 15 '14 17:09 bstrech

Unfortunately, Rails 4.0 still defines attr_accessible:

def attr_accessible(*args)
  raise "`attr_accessible` is extracted out of Rails into a gem. " \
    "Please use new recommended protection model for params" \
    "(strong_parameters) or add `protected_attributes` to your " \
    "Gemfile to use old one."
end

That means we can't use introspection like

attr_accessible :symbol, :deployment_percentage if respond_to?(:attr_accessible)

The only thing I can think of would be

begin
  attr_accessible :symbol, :deployment_percentage
rescue
  # Rails 4.0 doesn't support attr_accessible, but does define it
end

or the equally gross

if ActiveRecord::VERSION::MAJOR < 4 || Object.const_defined?(:ProtectedAttributes)
  attr_accessible :symbol, :deployment_percentage
end

jamesarosen avatar Sep 15 '14 17:09 jamesarosen

Yes, both of those solutions are less than ideal, but turns out I don't need it for now.

After removing the usage of the protected_attributes gem, my project is now ok. I never made the conversion, I am going to just use strong attributes. I am ok, but imagine someone out there is going to upgrade to 4.0 and need to keep protected_attributes.

bstrech avatar Sep 25 '14 16:09 bstrech