I’m a bit confused about this mass assignment issue. Here’s my question
Say I have a user model with the following attributes:
name
login
password
email
During an edit, the update method is triggered:
def update
@user = User.find(params[:id])
if @user.update_attributes(params[:user])
....
end
In my head it makes sense to protect most, if not all, of these attributes as i wouldn’t want the password/email/login to be compromised. So I would do this in the model
attr_accessible :name
So every other attribute, asides from name, wouldn’t be able to be mass assigned.
If I do this how would the valid edit form work though? Do I need to assign attributes one by one in the update method @user.email = params[:user][:email], etc? Or am I misunderstanding something (probably)?
Thanks!
Edit:
To be more specific:
Usually you see examples with the admin attribute protected. And it makes sense.
But what about the password or email attributes? Those aren’t usually protected. Why wouldn’t the password be protected or the email? It could mean that potentially somebody could reset the email and do a password reset or reset the password attribute and gain access to the system, no?
Watch this railscasts http://railscasts.com/episodes/26-hackers-love-mass-assignment/
You are thinking about mass assignment security the wrong way. attr_accessbile does not make the password value open to the public (you will use filter_parameter to hide that value).
Think of it this way, you have a user form. You want the user to be able to create an account with a password but you do not want them to be able to add themselves as an admin (they could do this through sql injection or manipulating the POST parameters). To protect against this, you would add :name, :password, :email to attr_accessible and leave out the admin field.