I was looking at an authentication system which had this code:
# prevents a user from submitting a crafted form that bypasses activation
# anything else you want your user to change should be added here.
attr_accessible :login, :email, :password, :password_confirmation, :first_name, :last_name
I don't understand why attr_accessible is applied to these properties.
Is the comment correct that this prevents a user from forging a form to manipulate user data? If so, why?
attr_accessible indicates which properties can be accessed via mass-assignment. If you had an action on your controller that did mass-assignment and you didn't use this method, the user could alter data that you didn't intend to let them alter.
In this case, a user could bypass activation by adding a parameter to the form POST for the boolean activated field, thus creating a user without verifying that they have a legitimate email address. (Assuming it's called activated.) This would be a big problem if your system has the potential for things like comment spam.
What attr_accessible is really doing is making the other attributes protected. It's the opposite of the attr_protected macro. Rails will generate thing= methods automatically, so attr_protected is harder to use than the whitelist version, attr_accessible.
The idea is to protect sensitive fields from users manipulating URLs and forms.