It just doesn't seem very ruby-esque to shield the 'forbidden' attributes with attr_accessors. Since on one form you might be allowed to change it, yet on a different one you wont have that field supplied.
You obviously dont want to hard code your data entry restrictions on controller level. That violates the DRY principle. When I change the form to allow someone to edit an extra field, I also have to 'open up' this field in the controller. The form fields I specify in the form are the only fields the user is allowed to change on that particular entry point. Why dont we take this given as leading and mould our controllers and models to this set of allowed fields? I am thinking about an idea very similar to the authenticity token from protect_from_forgery. Create a hash based on all the fields in a form and some serverside secret. Whenever the post params come in I know which fields are posted so I can recreate this hash and compare. That way only the fields that I initially supplied in the form are allowed. No more and no less. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
