Marcel Molina Jr. wrote:
On Wed, May 24, 2006 at 03:30:56AM +0200, Laszlo Gyula wrote:
I was a little concerned with the rails de-facto update method (as used
in rails's scaffolds), because it simply calls
<model>.update_attributes(params[:<model>]. This is very DRY indeed, but
when some of the table's fields contain valuable information that should
be writable only by certain actions, you have to add some lines manually.
Some code to demonstrate a potential weak scenario:
You can set attributes as protected from mass assignment with attr_protected.
When an attribute is protected, only some_object.the_protected_attribute =
'value' will set it. When assigned using mass assignment, such as
some_object.attributes = hash_of_attrs, it will simply be skipped.
http://api.rubyonrails.com/classes/ActiveRecord/Base.html#M000873
marcel
Actually, this isn't what I was exactly looking for, mine is just a
convinient form to clean up the controller, and
to indicate (for ruby and equally for myself) exactly which attributes
are to be updated, while attr_protected seals the
whole model.
Anyway, thanks for the help!
Gyula Laszlo
profund D&S
http://profund.hu
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
