attr_accessible on some properties + attr_protected on others makes class 'open-by-default'

In this type of case, it makes sense either to declare a whitelist or to declare a blacklist. But it doesn’t make much sense to declare both of them.

Solution #3: ActiveRecord (or ActiveModel) should raise if a class declares both a whitelist and a blacklist of mass-assignable attributes.

class Comment

attr_accessible: title

attr_protected: author_id # raises immediately




Jay, this solution doesn’t play nice with inheritance.

Rafael Mendonça França

Yeah, Jay. Your solution won’t work with inheritance.

By deprecating the attr_protected, you can allow most of the attributes anyway (but seriously seriously seriously discouraged) by do something like:

attr_accessible columns - [:created_at, :updated_at]

Having attr_accessible and attr_protected together in the same model is just asking for the trouble. You tell the model to whitelist, then you tell it again to blacklist.

  • Prem


What’s the conflict with inheritance?



Note that this may die in exciting ways if you put it in a model that hasn't been created in the DB yet. (since columns looks at the table metadata)

--Matt Jones