On Wed, May 24, 2006 at 03:30:56AM +0200, Laszlo Gyula wrote: > I was a little concerned with the rails de-facto update method (as used > in rails's scaffolds), because it simply calls > <model>.update_attributes(params[:<model>]. This is very DRY indeed, but > when some of the table's fields contain valuable information that should > be writable only by certain actions, you have to add some lines manually. > Some code to demonstrate a potential weak scenario:
You can set attributes as protected from mass assignment with attr_protected. When an attribute is protected, only some_object.the_protected_attribute = 'value' will set it. When assigned using mass assignment, such as some_object.attributes = hash_of_attrs, it will simply be skipped. http://api.rubyonrails.com/classes/ActiveRecord/Base.html#M000873 marcel -- Marcel Molina Jr. <[EMAIL PROTECTED]> _______________________________________________ Rails-core mailing list [email protected] http://lists.rubyonrails.org/mailman/listinfo/rails-core
