Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Enhance explanation with more examples for attr_accessible macro. Clo…

…ses #8095 [fearoffish, Marcel Molina]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8107 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit f770b829f4b363888b1af4bc7059bc45637a7ba2 1 parent 9450262
Marcel Molina authored
Showing with 21 additions and 12 deletions.
  1. +2 −0  activerecord/CHANGELOG
  2. +19 −12 activerecord/lib/active_record/base.rb
2  activerecord/CHANGELOG
View
@@ -1,5 +1,7 @@
*SVN*
+* Enhance explanation with more examples for attr_accessible macro. Closes #8095 [fearoffish, Marcel Molina]
+
* Update association/method mapping table to refected latest collection methods for has_many :through. Closes #8772 [lifofifo]
* Explain semantics of having several different AR instances in a transaction block. Closes #9036 [jacobat, Marcel Molina]
31 activerecord/lib/active_record/base.rb
View
@@ -645,24 +645,31 @@ def protected_attributes # :nodoc:
read_inheritable_attribute("attr_protected")
end
- # If this macro is used, only those attributes named in it will be accessible for mass-assignment, such as
- # <tt>new(attributes)</tt> and <tt>attributes=(attributes)</tt>. This is the more conservative choice for mass-assignment
- # protection.
+ # Similar to the attr_protected macro, this protects attributes of your model from mass-assignment,
+ # such as <tt>new(attributes)</tt> and <tt>attributes=(attributes)</tt>
+ # however, it does it in the opposite way. This locks all attributes and only allows access to the
+ # attributes specified. Assignment to attributes not in this list will be ignored and need to be set
+ # using the direct writer methods instead. This is meant to protect sensitive attributes from being
+ # overwritten by URL/form hackers. If you'd rather start from an all-open default and restrict
+ # attributes as needed, have a look at attr_protected.
+ #
+ # ==== Options
#
- # Example:
+ # <tt>*attributes</tt> A comma separated list of symbols that represent columns _not_ to be protected
+ #
+ # ==== Examples
#
# class Customer < ActiveRecord::Base
- # attr_accessible :phone, :email
+ # attr_accessible :name, :nickname
# end
#
- # Passing an empty argument list protects all attributes:
- #
- # class Product < ActiveRecord::Base
- # attr_accessible # none
- # end
+ # customer = Customer.new(:name => "David", :nickname => "Dave", :credit_rating => "Excellent")
+ # customer.credit_rating # => nil
+ # customer.attributes = { :name => "Jolly fellow", :credit_rating => "Superb" }
+ # customer.credit_rating # => nil
#
- # If you'd rather start from an all-open default and restrict attributes as needed, have a look at
- # attr_protected.
+ # customer.credit_rating = "Average"
+ # customer.credit_rating # => "Average"
def attr_accessible(*attributes)
write_inheritable_array("attr_accessible", attributes - (accessible_attributes || []))
end
Please sign in to comment.
Something went wrong with that request. Please try again.