A User has_one Account. When setting up attr_accessible on the User model is it better to protect :account, :account_id or both?
attr_accessible :account
or
attr_accessible :account_id
or
attr_accessible :account, :account_id
I feel like both is the way to go (as it’s more secure) even though it feel less DRY.
Update to give more background
Just to give a bit more background on why I’m asking. I, like most ppl, saw what happened to Github so we’re going through our app and locking it down a little tighter.
In the process of doing this I found tests in which we pass in account
User.create account: account
and where we passed in account_id:
User.create account_id: account.id
My options were to either change them all to be consistant or change attr_accessible to allow either. I decided to change them all to be consistant. But this got me worried that we were perhaps using both methods throughout our app and I might break our app by only allowing one or the other.
I did misspeak when I said using both is more secure. It was a long day.
There’s no right answer for this one, though it does depend on how you intend to update this user.
attr_accessible :accountwill allow you to mass-assign the account directly like this:Helpful if you already have an account object that you want to associate to the user along with a lot of other attributes. On the other hand,
attr_accessible :account_idwould be more appropriate if you were assigning the account’s ID, as from a dropdown or some other form element:This latter case is generally considered more dangerous and was part of the problem with Github’s recent security issue: that you can post any account_id you like, including an account that doesn’t belong to you, and your user will be assigned to it.
So overall I would go for the former and do a look-up to ensure the account is one that you expect, but as I said at the beginning, you can go either way on this one depending on how you intend to use it.