CODEWITHSUNDEEP
ruby-on-railsrubyruby-on-rails-3
trflach
trflach

Reputation: 98

How does attr_accessible work in Rails?

I just had a general question about Ruby on Rails and the attr_accessible attributes that go in the models (Rails 3). Can someone explain which model attributes are supposed to be defined there? I remember something about risk for mass assignment, though I'm not too knowledgeable in this aspect... Thanks :)

Upvotes: 5

Views: 5974

Answers (4)

Devin M
Devin M

Reputation: 9752

The Rails ActiveRecord documentation has some good detail on the topic.

Basically attr_accessible:

Specifies a white list of model attributes that can be set via mass-assignment.

And attr_protected:

Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.

Think of attr_accessible as a list of the attributes you want a user to be able to set through a form, anything not on this list wont be able to be set through the mass assignment which ensures that you keep the sensitive values in your database protected from a malicious user. This is a small step to keeping your application secure and you should take a look at the Rails Security Guide if you want to follow Rails best practices.

Upvotes: 1

Taran
Taran

Reputation: 1

attr_accessible is the rails feature with the help of which we can permit mass-assignment for model attributes. It is just opposite to attr_protected in functionality.

To make a particular attribute available for mass-assignment we use attr_accessible as follows :

class Person < ActiveRecord::Base
attr_accessible : name
end



For more detailed explanation about attr_accessible and Strong parameters you can visit the link given below:

[http://findnerd.com/list/view/attr-accessible-in-Rails-4/3654/][1]

Upvotes: 0

Paul Rubel
Paul Rubel

Reputation: 27222

Imagine an order class with some fields:

Order.new({ :type => 'Corn', :quantity => 6 })

Now imagine that the order also has a discount code, say :price_off. You wouldn't want to tag :price_off as attr_accessible. This stops malicious code from being able to craft a post that ends up doing something like so:

Order.new({ :type => 'Corn', :quantity => 6, :price_off => 30 })

Even if your form doesn't have a field for :price_off, if it's just in your model by default it's available. A crafted POST could still set it.

Using attr_accessible white lists those things are can be mass assigned and protects fields that you want explicit control of in your code.

Difference between attr_accessor and attr_accessible has some additional links.

Upvotes: 5

Jake Dempsey
Jake Dempsey

Reputation: 6312

attr_accessible allows you to define a whitelist of attributes on the model that can be mass assigned. So if you have 10 attrs but only whitelist 3 of them, only those three can be mass assigned.

class Foo < ActiveRecord:Base
  #lets say you have attrs one, two, three
  attr_accessible :one, :two
end

#You can do this:
Foo.new({:one => 1, :two => 2})

#if you were to do this:
Foo.new({:one => 1, :two => 2, :three => 3})
#Foo's three attr would not be set

Upvotes: 4

Related Questions