Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m wondering, if i have a model where all values can be set through a form, do i still need to use attr_accessible ?
The important thing that comes to my mind is the id field (or maybe even the created_at, updated_at) fields.
Should i always whitelist the accessible fields if there is a form around ?
You should think if in the future you will add some importaint data and you will forget to protect it. Using
attr_accessibleit will be protected by default.If there are any associations, such as
user has_many :roles, :through => :authorizationin User model there aren’t any data about this association, but hacker can mass_assignroles_attributes. So he will change data inauthorizationstable through the hole in User model.Also he will availible to manupalate with simple
has_many :dollarsassociations passingdollar_ids=[1,2,3,4,5,6,7...]via form.You can checkout also Ryan’s screencast about mass assignment