Home/ Questions/Q 8140021
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T12:01:22+00:00

I’m not familiar on how forms work. Example Scenario Lets say users can create

  • 0

I’m not familiar on how forms work.

Example Scenario

Lets say users can create surveys but after they are created cannot edit them but only add questions to them. This is done by using the edit action on the Survey.

class Survey < ActiveRecord::Base
  has_many :questions
  accepts_nested_attributes_for :questions
end

class Question < ActiveRecord::Base
  belongs_to :survey
  belongs_to :user
end

# QuestionsController

def edit
  @survey = Survey.find(params[:id])
  @survey.questions.build
end

def update
  @survey = Survey.find(params[:id])
  @survey.update_attributes(params[:survey])
  redirect_to ...
end

Then the form should be:

<%= form_for @survey do |f| %>
  # No surveys fields on this form!

  <% f.fields_for :questions do |builder| %>
    <%= render "question_fields", :f => builder %>
  <% end %>

  <%= f.submit "Submit" %>
<% end %>

Now does this leave the Survey’s values vulnerable or open to hacking even if I want the survey’s fields to be unusable after creation?

What about in general? Can model values still be edited when their not on the form? What’s the logic behind this and how would I know they couldn’t?

Thanks, just a newbie trying to learn.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, those attributes can still be edited by submitting them as parameters to your form, even if you don’t provide fields for them.

    To protect against that, you can protect the attributes explicitly (in later versions of Rails, this is the default). In your Survey model, add

    attr_protected :name # or whatever other attributes that model has

    This prevents mass assignments for those attributes, both for create and update. To allow creating, you’ll have to assign those attributes explicitly in the create action of your SurveyController:

    def create
  @survey = Survey.new # instead of Survey.new(params[:survey])
  @survey.name = params[:survey][:name]
  @survey.save 
  # etc
end

    EDIT:

    As blackbird07 points out, the better approach is to whitelist those attributes that you want to allow mass-assignment for, instead of the blacklist approach described here.

    • 0