h1. sudo_attributes

Adds 'sudo' methods to active record classes, allowing you to easily override protected attributes.

h2. Requirements

*Rails:* Any version of Rails 2.3.x or Rails 3.x. (Older versions of Rails may work, but have not been tested)

h2. Installation

The gem is hosted at "rubygems.org":https://rubygems.org/gems/sudo_attributes and can be installed with: @gem install sudo_attributes@

h2. The Problem

ActiveModel provides a convenient way to make your application more secure by using "protected" attributes. Protected attributes are assigned using either @attr_protected@ or @attr_accessible@. This adds security by preventing mass assignment of attributes when doing things like @user.update_attributes(params[:user])@. The issue is that it can be tedious to always manually assign protected attributes in an administrative area of your application. You may find yourself doing things like:

<pre>
user = User.find(params[:id])
user.update_attributes(params[:user])
user.admin = true
user.something_else = true
user.save
</pre>

or the alternative in Rails 3.1:

<pre>
user.assign_attributes(params[:user], :without_protection => true)
user.save
</pre>

h2. The Solution

SudoAttributes adds a few 'sudo' methods to your models, allowing you to override the protected attributes **when you know the input can be trusted**.

<pre>
class User < ActiveRecord::Base
  attr_protected :admin
end

user = User.find(params[:id])
user.sudo_update_attributes(params[:user])
</pre>

h2. Class Methods

@Model.sudo_create@ - Uses same syntax as @Model.create@ to instantiate and save an object with protected attributes

@Model.sudo_create!@ - Similar to @Model.sudo_create@, but it raises an ActiveRecord::RecordInvalid exception if there are invalid attributes

@Model.sudo_new@ - Uses same syntax as @Model.new@ to instantiate, but not save an object with protected attributes

h2. Instance Methods

@sudo_update_attributes@ - Uses identical syntax to @update_attributes@, but overrides protected attributes.

@sudo_update_attributes!@ - Same as sudo_update_attributes, but raises ActiveRecord errors. Same as @update_attributes!@

h2. Examples

**Protect an admin boolean attribute**

<pre>
class User < ActiveRecord::Base
  attr_protected :admin
end
</pre>

In your admin controller...

<pre>
params[:user] = {:name => "Pete", :admin => true} (Typically set from a form)

@user = User.sudo_create(params[:user])

Somewhere else in your admin controller...

params[:user] = {:admin => false, :name => "Pete"}

@user.sudo_update_attributes(params[:user])
</pre>

h2. Copyright

Copyright (c) 2011 Peter Brown. See LICENSE for details.