views:

143

answers:

2

Hi All,

I want to know what the difference is between attr_accessible(*attributes) & attr_protected(*attributes) with examples if any.

I see many developers use these in their models. I Googled for the differences but I don't get exactly what they are. Could someone explain to me the importance and its necessity in different scenarios.

Thanks in advance.

+8  A: 

attr_accessible (documentation) says "the specified attributes are accessible and all others are protected" (think of it as whitelisting.)

whereas

attr_protected (documentation) says "the specified attributes are protected and all others are accessible" (think of it as blacklisting.)

A protected attribute is one that can only be modified explicitly (e.g. via attribute=) and can't be updated via mass assignment (e.g. using model.update_attributes or by passing attributes to new). Attempts to update protected attributes via mass assignment are silently ignored without raising an exception.

The classic example would be if a User model had an is_admin attribute you could protect that attribute to prevent form submissions that would allow any user to be set as an administrator.

example:

class User < ActiveRecord::Base
  # explicitly protect is_admin, any new attributes added to the model
  # in future will be unprotected so we need to remember to come back
  # and add any other sensitive attributes here in the future
  attr_protected :is_admin
end

compared with:

class User < ActiveRecord::Base
  # explicitly unprotect name and bio, any new attributes added to the model
  # in the future will need to be listed here if we want them to be accessible
  attr_accessible :name, :bio
end

Now, assuming is_admin attribute is protected:

> u = User.find_by_name('mikej')
> u.is_admin?
false
> u.update_attributes(:name => 'new name', :is_admin => true)
> u.is_admin?
false
> u.name
"new name" 
> u.is_admin = true # setting it explicitly
> u.save
> u.is_admin?
true
mikej
That's an excellent answer.
John Topley
can we use them together?
Salil
yes, but attributes might to be different
fl00r
No, you can only use one or the other. If you include both in a class then you won't see an error when the class is first loaded but it will probably manifest itself as `NoMethodError: You have a nil object when you didn't expect it!` when you try to use the class.
mikej
Thanks, @John. Comment appreciated.
mikej
@mikej:- thanx excellent answer 'll like to know more on this pls provide if u know any link etc.cheer's
Salil
@Salil take a look at this blog post: http://b.lesseverything.com/2008/3/11/use-attr_protected-or-we-will-hack-you for another example and post another comment or start a new question if you have any specific things you'd like to know.
mikej
+1  A: 

attr_accessible is a white list for mass-assignment ...

class Foo < ActiveRecord::Base #has attributes foo and bar
  attr_accessible :foo
end
f = Foo.new :foo => "test", :bar => "test"
f.foo #=> "test"
f.bar #=> nil

attr_proteceted is a black list for mass assignment ...

class Foo < ActiveRecord::Base #has attributes foo and bar
  attr_protected :bar
end
f = Foo.new :foo => "test", :bar => "test"
f.foo #=> "test"
f.bar #=> nil
gregor