--- title: "Rails 6 adds filter_attributes on ActiveRecord::Base" description: "Rails 6 adds filter_attributes on ActiveRecord::Base" canonical_url: "https://www.bigbinary.com/blog/rails-6-adds-activerecord-base-filter_attributes" markdown_url: "https://www.bigbinary.com/blog/rails-6-adds-activerecord-base-filter_attributes.md" --- # Rails 6 adds filter_attributes on ActiveRecord::Base Rails 6 adds filter_attributes on ActiveRecord::Base - Author: Amit Choudhary - Published: September 3, 2019 - Categories: Rails 6, Rails A lot of times, we ask user for sensitive data such as password, credit card number etc. We should not be able to see this information in logs. So, there must be a way in Rails to filter out these parameters from logs. Rails provides a way of doing this. We can add parameters to [Rails.application.config.filter_parameters](https://guides.rubyonrails.org/configuring.html#initializers). There is one more way of doing this in Rails. We can also use [https://api.rubyonrails.org/classes/ActionDispatch/Http/FilterParameters.html](https://api.rubyonrails.org/classes/ActionDispatch/Http/FilterParameters.html). However there is still a security issue when we call inspect on an ActiveRecord object for logging purposes. In this case, Rails does not consider [Rails.application.config.filter_parameters](https://guides.rubyonrails.org/configuring.html#initializers) and displays the sensitive information. Rails 6 fixes this. It considers [Rails.application.config.filter_parameters](https://guides.rubyonrails.org/configuring.html#initializers) while inspecting an object. Rails 6 also provides an alternative way to filter columns on ActiveRecord level by adding [filter_attributes](https://github.com/rails/rails/pull/33756) on ActiveRecord::Base. In Rails 6, [filter_attributes](https://github.com/rails/rails/pull/33756) on ActiveRecord::Base takes priority over [Rails.application.config.filter_parameters](https://guides.rubyonrails.org/configuring.html#initializers). Let's checkout how it works. #### Rails 6.0.0.rc1 Let's create a user record and call inspect on it. ```ruby >> class User < ApplicationRecord >> validates :email, :password, presence: true >> end => {:presence=>true} >> User.create(email: 'john@bigbinary.com', password: 'john_wick_bigbinary') BEGIN User Create (0.6ms) INSERT INTO "users" ("email", "password", "created_at", "updated_at") VALUES ($1, $2, $3, $4) RETURNING "id" [["email", "john@bigbinary.com"], ["password", "john_wick_bigbinary"], ["created_at", "2019-05-17 21:34:34.504394"], ["updated_at", "2019-05-17 21:34:34.504394"]] COMMIT => # ``` We can see that `password` is filtered as it is added to [Rails.application.config.filter_parameters](https://guides.rubyonrails.org/configuring.html#initializers) by default in `config/initializers/filter_parameter_logging.rb`. Now let's add just `:email` to `User.filter_attributes` ```ruby >> User.filter_attributes = [:email] => [:email] >> User.first.inspect SELECT "users".* FROM "users" ORDER BY "users"."id" ASC LIMIT $1 [["LIMIT", 1]] => "#" ``` We can see here that `User.filter_attributes` took priority over [Rails.application.config.filter_parameters](https://guides.rubyonrails.org/configuring.html#initializers) and removed filtering from password and filtered just email. Now, let's add both `:email` and `:password` to `User.filter_attributes`. ```ruby >> User.filter_attributes = [:email, :password] => [:email, :password] >> User.first.inspect => "#" ``` We can see that now both `email` and `password` are filtered out. Here is the relevant [pull request](https://github.com/rails/rails/pull/33756). ## Links - [Human page](https://www.bigbinary.com/blog/rails-6-adds-activerecord-base-filter_attributes)