Permalink
Browse files

Update 'getting started' guides for new whitelist security implementa…

…tion. Closes #6286.
  • Loading branch information...
1 parent 9cead4a commit ccf80c2ec458586d3a7a534dcca5622ad6ff7ee3 Erich Menge committed May 12, 2012
Showing with 16 additions and 1 deletion.
  1. +16 −1 railties/guides/source/getting_started.textile
@@ -685,14 +685,17 @@ The model file, +app/models/post.rb+ is about as simple as it can get:
<ruby>
class Post < ActiveRecord::Base
+ attr_accessible :content, :name, :title
end
</ruby>
There isn't much to this file - but note that the +Post+ class inherits from
+ActiveRecord::Base+. Active Record supplies a great deal of functionality to
your Rails models for free, including basic database CRUD (Create, Read, Update,
Destroy) operations, data validation, as well as sophisticated search support
-and the ability to relate multiple models to one another.
+and the ability to relate multiple models to one another. Another important part
+of this file is +attr_accessible+. It specifies a whitelist of attributes that are
+allowed to be updated in bulk (via +update_attributes+ for instance).
h4. Adding Some Validation
@@ -701,6 +704,8 @@ Open the +app/models/post.rb+ file and edit it:
<ruby>
class Post < ActiveRecord::Base
+ attr_accessible :content, :name, :title
+
validates :name, :presence => true
validates :title, :presence => true,
:length => { :minimum => 5 }
@@ -1218,6 +1223,8 @@ You'll need to edit the +post.rb+ file to add the other side of the association:
<ruby>
class Post < ActiveRecord::Base
+ attr_accessible :content, :name, :title
+
validates :name, :presence => true
validates :title, :presence => true,
:length => { :minimum => 5 }
@@ -1605,6 +1612,8 @@ model, +app/models/post.rb+, as follows:
<ruby>
class Post < ActiveRecord::Base
+ attr_accessible :content, :name, :title
+
validates :name, :presence => true
validates :title, :presence => true,
:length => { :minimum => 5 }
@@ -1686,6 +1695,8 @@ edit tags via posts:
<ruby>
class Post < ActiveRecord::Base
+ attr_accessible :content, :name, :title, :tags_attributes
+
validates :name, :presence => true
validates :title, :presence => true,
:length => { :minimum => 5 }
@@ -1703,6 +1714,10 @@ nested attributes (you'll handle that by displaying a "remove" checkbox on the
view that you'll build shortly). The +:reject_if+ option prevents saving new
tags that do not have any attributes filled in.
+Also note we had to add +:tags_attributes+ to the +attr_accessible+ list. If
+we didn't do this there would be a +MassAssignmentSecurity+ exception when we try to
+update tags through our posts model.
+
We will modify +views/posts/_form.html.erb+ to render a partial to make a tag:
<erb>

0 comments on commit ccf80c2

Please sign in to comment.