is it safe to allow mass assignment of associations?
1 view
Skip to first unread message
Alan Bullock
unread,
Jul 21, 2010, 1:34:01 AM7/21/10
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Ruby on Rails: Talk
Item belongs_to :user
attr_accessible :user
is this safe? Item.user_id is still protected, and Item.user can't be
set by mass assignment from a web request because the parameters are
all strings - trying to assign a string to Item.user raises
AssociationTypeMismatch. Even setting params['item']['user'] to an
empty string would raise an error.
The benefit of this approach is that I can still use mass assignment
of associations in my own code.