http://stackoverflow.com/questions/3136420/difference-between-attr-accessor-and-attr-accessible
http://stackoverflow.com/questions/4838399/how-i-can-set-attr-accessible-in-order-to-not-allow-access-to-any-of-the-fieldattr_accessor is a ruby method that makes a getter and a setter. attr_accessible is a Rails method that allows you to pass in values to a mass assignment: new(attrs) or up update_attributes(attrs).Here's a mass assignment:Order.new({ :type => 'Corn', :quantity => 6 })You can imagine that the order might also have a discount code, say :price_off. If you don't tag :price_off as attr_accessible you stop malicious code from being able to do like so:Order.new({ :type => 'Corn', :quantity => 6, :price_off => 30 })Even if your form doesn't have a field for :price_off, if it's in your model it's available by default. This means a crafted POST could still set it. Using attr_accessible white lists those things that can be mass assigned.
By default the attributes are all attr_accessible (which means they can be set my mass-assignment).
- attr_accessible - only this list of attributes can be set by mass-assignment (white-listing).
- attr_protected - these attributes cannot be set by mass-assignment (black-listing).
Beginning with Rails 3.1, the following configuration option is available to disable mass-assignment by default for all models until you explicitly call attr_accessible or attr_protected:
- attr_readonly - these attributes cannot be set except for when the record is created.
config.active_record.whitelist_attributes = true
No comments:
Post a Comment