I just released a new plugin for Rails, called AttrLocked. It lets you specify that certain model attributes should not be changeable once a record has been created – perfect for making sure usernames are fixed or your financial data doesn’t get tampered with. It will not let you change a record’s locked attributes in any way, and will disable form fields as appropriate to stop people bothering to change the data. Example:

class Payment < ActiveRecord::Base
  attr_locked :time, :amount, :transaction_id
end

Now, when you grab a record from the database, using time=, amount= and transaction_id= won’t work. attributes=, save and update_attributes will silently ignore the locked attributes, and update_attribute will return false if you try to modify a locked attribute. Naturally, you are allowed to set values on new records.

I’ve only tested it on my current project, which is in Rails 1.2.2, but I’d really appreciate testing with other applications. Install like so:

script/plugin install
    git://github.com/jcoglan/attr_locked