ansaurus

Question

what is difference between attr_accessible(*attributes) & attr_protected(*attributes)

Answer 1

+8 A:

attr_accessible (documentation) says "the specified attributes are accessible and all others are protected" (think of it as whitelisting.)

whereas

attr_protected (documentation) says "the specified attributes are protected and all others are accessible" (think of it as blacklisting.)

A protected attribute is one that can only be modified explicitly (e.g. via attribute=) and can't be updated via mass assignment (e.g. using model.update_attributes or by passing attributes to new). Attempts to update protected attributes via mass assignment are silently ignored without raising an exception.

The classic example would be if a User model had an is_admin attribute you could protect that attribute to prevent form submissions that would allow any user to be set as an administrator.

example:

class User < ActiveRecord::Base
  # explicitly protect is_admin, any new attributes added to the model
  # in future will be unprotected so we need to remember to come back
  # and add any other sensitive attributes here in the future
  attr_protected :is_admin
end

compared with:

class User < ActiveRecord::Base
  # explicitly unprotect name and bio, any new attributes added to the model
  # in the future will need to be listed here if we want them to be accessible
  attr_accessible :name, :bio
end

Now, assuming is_admin attribute is protected:

> u = User.find_by_name('mikej')
> u.is_admin?
false
> u.update_attributes(:name => 'new name', :is_admin => true)
> u.is_admin?
false
> u.name
"new name" 
> u.is_admin = true # setting it explicitly
> u.save
> u.is_admin?
true

mikej 2010-04-16 12:34:45

That's an excellent answer.

John Topley 2010-04-16 13:02:46

can we use them together?

Salil 2010-04-16 13:04:29

yes, but attributes might to be different

fl00r 2010-04-16 13:06:04

No, you can only use one or the other. If you include both in a class then you won't see an error when the class is first loaded but it will probably manifest itself as `NoMethodError: You have a nil object when you didn't expect it!` when you try to use the class.

mikej 2010-04-16 13:17:48

Thanks, @John. Comment appreciated.

mikej 2010-04-16 13:20:51

@mikej:- thanx excellent answer 'll like to know more on this pls provide if u know any link etc.cheer's

Salil 2010-04-16 15:37:20

@Salil take a look at this blog post: http://b.lesseverything.com/2008/3/11/use-attr_protected-or-we-will-hack-you for another example and post another comment or start a new question if you have any specific things you'd like to know.

mikej 2010-04-20 07:03:15

Answer 2

+1 A:

attr_accessible is a white list for mass-assignment ...

class Foo < ActiveRecord::Base #has attributes foo and bar
  attr_accessible :foo
end
f = Foo.new :foo => "test", :bar => "test"
f.foo #=> "test"
f.bar #=> nil

attr_proteceted is a black list for mass assignment ...

class Foo < ActiveRecord::Base #has attributes foo and bar
  attr_protected :bar
end
f = Foo.new :foo => "test", :bar => "test"
f.foo #=> "test"
f.bar #=> nil

gregor 2010-04-16 12:39:53

ansaurus

tags:

views:

answers:

what is difference between attr_accessible(attributes) & attr_protected(attributes)

related questions