Devise’s examples and tutorials say me to have something like this in User model:
attr_accessible :name, :password, :password_confirmation, :remember_me
So I have two questions about this.
-
Why should I make “name” and “password” accessible? I want them to be protected, does devise let me change this?
-
What on earth do fields like “password_confirmation” and “remember_me” do in user model? Now I can write something like
User.find(1).password_confirmation, it works but has no sense at all.
How to deal with that?
I think I’ve found an answer.
Devise uses mass-assignment, and there is nothing you can do about that. There is a Github issue about that: https://github.com/plataformatec/devise/pull/718. I’m working on idea how we can change Devise to avoid it relying on mass-assignment. I will be happy to know your opinion.
As long as Devise takes away your right to define our attr-accessible list, there are two things you can do about that:
a. You can just use
attr_readonlyalong withattr_accessible. It will open door for Devise, but not for your other forms, read Make attributes mass assignable only during creationb.
def mass_assignment_authorizerallows you to define dynamic attr-accessible list, read http://railscasts.com/episodes/237-dynamic-attr-accessible?view=asciicast. IMHO, this way is overkill for this kind of problem.