Ok, I've done some more reading and I think that I have this down now. Somebody tell me if I'm on the right/wrong path.
attr_accessible lists attributes that are open to mass-assignment. So, for security reasons, we shouldn't allow anything in attr_accessible that we wouldn't let the user define themselves. Active Record automatically creates setter/getter methods for columns in databases - since my users table has a "name" column, for example, I can use @user.name in my models/views/controllers and it'll just work. However, when I want to use a virtual attribute (something that isn't persisted in the database but that I still want to manipulate in Rails, like @user.signing_up), ActiveRecord can't do that for me, and I have to make setter/getter methods for that myself. I can make those with attr_accessor, but they won't be mass-assignable, and so they won't be vulnerable to mass-assignment attacks. Finally, since the whitelist approach to security is better than the blacklist approach, attr_protected should just be ignored. Do I have all that right? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
