stackoom
  简体   繁体   中英

How does attr_accessible work in Rails?

 原文  2011-08-24 18:32:53       ruby-on-rails/ ruby/ ruby-on-rails-3

Question

I just had a general question about Ruby on Rails and the attr_accessible attributes that go in the models (Rails 3). Can someone explain which model attributes are supposed to be defined there? I remember something about risk for mass assignment, though I'm not too knowledgeable in this aspect... Thanks :)

4 answers

solution1
 5  2011-08-24 18:53:34

Imagine an order class with some fields: 

Order.new({ :type => 'Corn', :quantity => 6 })

Now imagine that the order also has a discount code, say :price_off. You wouldn't want to tag :price_off as attr_accessible. This stops malicious code from being able to craft a post that ends up doing something like so: 

Order.new({ :type => 'Corn', :quantity => 6, :price_off => 30 })

Even if your form doesn't have a field for :price_off, if it's just in your model by default it's available. A crafted POST could still set it.

Using attr_accessible white lists those things are can be mass assigned and protects fields that you want explicit control of in your code.

Difference between attr_accessor and attr_accessible has some additional links.

solution2
 4 ACCPTED  2011-08-24 18:36:26

attr_accessible allows you to define a whitelist of attributes on the model that can be mass assigned. So if you have 10 attrs but only whitelist 3 of them, only those three can be mass assigned. 

class Foo < ActiveRecord:Base
  #lets say you have attrs one, two, three
  attr_accessible :one, :two
end

#You can do this:
Foo.new({:one => 1, :two => 2})

#if you were to do this:
Foo.new({:one => 1, :two => 2, :three => 3})
#Foo's three attr would not be set

solution3
 1  2011-08-24 18:38:00

The Rails ActiveRecord documentation has some good detail on the topic.

Basically attr_accessible:

Specifies a white list of model attributes that can be set via mass-assignment.

And attr_protected:

Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.

Think of attr_accessible as a list of the attributes you want a user to be able to set through a form, anything not on this list wont be able to be set through the mass assignment which ensures that you keep the sensitive values in your database protected from a malicious user. This is a small step to keeping your application secure and you should take a look at the Rails Security Guide if you want to follow Rails best practices.

solution4
 0  2015-06-23 09:32:40

attr_accessible is the rails feature with the help of which we can permit mass-assignment for model attributes. It is just opposite to attr_protected in functionality.

To make a particular attribute available for mass-assignment we use attr_accessible as follows : 

class Person < ActiveRecord::Base
attr_accessible : name
end



For more detailed explanation about attr_accessible and Strong parameters you can visit the link given below:

[ http://findnerd.com/list/view/attr-accessible-in-Rails-4/3654/][1]

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Rails attr_accessible does not work for :type? attr_accessible for Rails 4 attr_accessible in rails 4 How is attr_accessible used in Rails 4? Rails and attr_accessible + security Rails 4 - mailboxer attr_accessible Dynamic attr_accessible in rails Ruby on rails 4 attr_accessible How implement as: parameter of attr_accessible of rails 3 to rails 4 How do you call attr_accessible dynamically in Rails?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM