I have some code to made that :
This gist show a system to change all key on your model.
--
Cyril Mougel
http://blog.shingara.fr/
> I haven't thought the solution all the way through but that pops up as a red
> flag for me. If someone edits the html of the form and adds all kinds of
> custom fields, you have to at some point not allow them to do that or they
> could start cramming your database full of crap.
> Any thoughts on this?
That's a controller responsibility, not a model responsibility.
In case you are interested in my criticisms of attr_accessible (they
are related to this discussion I think) check out something I wrote
last year:
http://djwonk.com/blog/2008/05/23/improving-attr_accessible/
I don't understand what you mean. Can you be more specific?
What did you think of my specific arguments? To boil it down:
(1) There are times when you want full control over the model. Your
ORM should allow this and not get in your way.
(2) There are times when you don't trust user input and could use some
help at the controller level. I see this as a controller
responsibility myself -- but if you see this as something that belongs
in the model, it should be unobtrusive enough that it doesn't make (1)
difficult.
Hmmm. I'm not a big fan of this idea. Generally speaking, I don't like
the kind of design where the behavior of a method (.new or .create in
this case) depends on another setting (e.g. unsafe_mode). It is better
to use method name that have clear names that indicate what they do
without having to check on other 'settings'.
I think it is important to emphasize that there are use cases for
MongoMapper that don't involve the Web and parameter sanitization at
all. It is a persistence framework, not a Web framework. I say: let's
not add functionality where it doesn't belong.
If someone, despite all of this, wants to put in parameter
sanitization, it should not clash or break expectations with the
plain-vanilla versions of 'new' and 'create'.