This project is archived and is in readonly mode.

#5738 open
Emmanuel Gomez

AssociationCollection#load_target triggers MassAssignmentSecurity warning

Reported by Emmanuel Gomez | September 29th, 2010 @ 10:56 PM

On a project I'm working on, we've been using a monkey-patch that raises on mass assignment security errors (used to be in AR::Base#log_protected_attribute_removal). This helps us prevent silent failure.

I'm in the process of porting our app to Rails 3, and spent some time today reimplementing this monkey-patch on WhiteList and BlackList.

Upon doing so, I discovered an unexpected failure when accessing an association after building instances on the association. It turns out that AssociationCollection#load_target performs mass-assignment calls (#attributes=) to update non-dirty, non-id fields on the in-memory instances.

I'm pretty sure that this call to #attributes= should bypass mass-assignment protection, since it's assigning values from the database to in-memory instances. I'm proposing to change:

@target.delete_at(i).tap do |t|
  keys = ["id"] + t.changes.keys + (f.attribute_names - t.attribute_names)
  t.attributes = f.attributes.except(*keys)


@target.delete_at(i).tap do |t|
  keys = ["id"] + t.changes.keys + (f.attribute_names - t.attribute_names)
  t.send(:attributes=, f.attributes.except(*keys), false)

I'm pretty sure this should be an uncontroversial change, and I'd love to see it patched in ActiveRecord. Should I submit a patch for this change?

Comments and changes to this ticket

  • Emmanuel Gomez

    Emmanuel Gomez September 30th, 2010 @ 10:38 PM

    • Tag changed from activerecord associations, mass-assignment security to activerecord associations, mass-assignment security, bug
  • Emmanuel Gomez

    Emmanuel Gomez September 30th, 2010 @ 11:52 PM

    I've been meaning to learn how to properly produce a patch for Rails, so I went ahead and did it.

    The attached patch doesn't include tests, because I'm not sure how to test this without changing the behavior of MassAssignmentSecurity::Sanitizer. I'll come up with something and add some test coverage shortly.

  • Rohit Arondekar

    Rohit Arondekar October 7th, 2010 @ 05:19 AM

    • Tag changed from activerecord associations, mass-assignment security, bug to mass-assignment security, activerecord, associations, bug
  • Rohit Arondekar
  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:58 PM

    • State changed from “new” to “open”

    This issue has been automatically marked as stale because it has not been commented on for at least three months.

    The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

    Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:58 PM

    • State changed from “open” to “stale”
  • Steve F

    Steve F March 15th, 2011 @ 11:15 PM

    • State changed from “stale” to “open”

    I have verified this is still an issue with tests in patch below. There is a concurrency issue that is exposed by the same problem. I have explained it in the patch as well [state:open]

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket