Hacking attr_accessible to support a different set of accessible attributes for create and update

Question

I'm trying to figure out how to make this hack for attr_accessible to support a really common use case in my code, but really after looking at attr_acessible and ActiveRecord::Base source code for a while, still don't know where to start. I can probably figure it out after digging deeper, but first I'd like to ask if anyone else would find this hack useful, if there's some other way to do this right now,

---

Here's the use case:

For many models, the attributes that should be accessible through mass assignment are different when creating the object and when updating the object. One simple example is a User model that has two attributes: username, and password. When the object is just being created, I want both username and password to be accessible through mass assignment. After the object is created, only password should be accessible through mass assignment, because it shouldn't be possible to change the username.

Of course I could just set the username for the object manually in my controller's create method, but I find that some version of this case happens with every model. If it was possible to specify a different set of attr_accessible attributes for creates and updates, I could continue to use my standard restful new and create methods (for example as provided by inherited_resources). Besides I think this info belongs in the model.

So here's how I think it could work:

class User < ActiveRecord::Base
  attr_accessible :password
  attr_accessible_create :email
  attr_accessible_update :bio
...

What would happen is that when the object is created, password and email would be accessible through mass assignment. When the object is updated, email and bio would be accessible through mass assignment.

This could also work through black listing via attr_protected. Same example with black listing:

class User < ActiveRecord::Base
  attr_accessible :email, :password, :bio
  attr_protected_create :bio
  attr_protected_update :email
...

Or alternatively the syntax could be more like this:

attr_accessible :password, :create => [:email], :update => [:bio]

With these hacks, you can continue to use User.update_attributes(params[:user]) and User.new(params[:user]) in your controllers and know that the mass assignment stuff is taken care of. If your controllers are created by something like inherited_resources (which seriously rocks and keeps getting better) or resource_controller, you don't have to worry about creating custom controller actions for this simple, common use case.

---

The questions to you, my expert Rails users:

1. Is there a way to do this now that I'm overlooking, as a Ruby/Rails newbie?
2. Would you find this functionality useful, if it were supported?
3. Which syntax do you like better:
   1. attr_accessible_update and attr_accessible_create
   2. attr_accessible :update => [], :create => []
   3. support both, dude!
4. Should I make this into a gem?
5. If you know where the parameters are sanitized during new/create/update/build with attr_accessible/attr_protected values, it would be great if you could point it out.

Thanks!

Answer 1

ActiveRecord has an attr_readonly method that should do what you need.

Answer 2

I'm pretty sure this kind of functionality doesn't currently exist.

If you go ahead and try to implement this as a gem, I'd probably be a bigger fan of the #2 syntax you proposed. As a general rule now, you can only use either attr_protected or attr_accessible in a model once, and you can't mix them. Adding more attr_* statements might get confusing.

Should you implement this as a gem? Why not? No harm in putting something else out there that at least you find helpful.

Sorry I can't help you on your last point. :)