views:

447

answers:

3

When I use the attr_accessible to specify which fields from my Model I will expose, is it true for script/console as well? I mean something that I didn't specify as attr_accessible won't be accessible as well through console ?

A: 

i found why:

Specifies a white list of model attributes that can be set via mass-assignment, such as new(attributes), update_attributes(attributes), or attributes=(attributes) This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you‘d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.

so it means that it just avoid mass-assignment but i can still set a value..

VP
+2  A: 

The console behaves exactly as your Rails application. If you protected some attributes for a specific model, you won't be able to mass assign these attributes either from console or from the Rails app itself.

Simone Carletti
+2  A: 

This is only true for mass assignment. For instance, if you were to set attr_protected :protected in your model:

>> Person.new(:protected => "test")
=> #<Person protected: nil>

Conversely, you could set all attributes you want as accessible using attr_accessible.

However, the following will still work:

>> person = Person.new
=> #<Person protected: nil>
>> person.protected = "test"
=> #<Person protected: "test">

This is the same behaviour as in controllers, views, etc. attr_protected only protects against mass assignment of variables, primarily from forms, etc.

Josh