attr_accessible question

Hi! I'm new to Rails and to this forum, so let me know if I'm posting
incorrectly.

I'm trying to understand accessible attributes (attr_accessible). I'm
working with Ruby 1.9.3, and Rails 3.2.3.

Here's my scenario:
I have four tables: colors, shapes, customers, and widgets.
Colors table has id and color.
Shapes table has id and shape.
Customers table has id and customer.
Widgets table has id, color_id, shape_id, and customer_id.

The relationships are as you might expect:
colors, shapes, and customers all have many widgets, and
widgets belongs to colors, shapes, and customers.

To create a new widget in the widgets controller, I scope it through a
customer, roughly like this (syntax may have errors, but you get the
idea):
current_customer.widgets.create(color_id: params[:color], shape_id:
params[:shape])
(as you can probably guess, current_customer is the current logged-in
user)

Okay, so given that basic scenario, on to my questions.

My main question is whether I must keep the color_id and shape_id
attributes accessible via mass assignment in the widgets controller. Or,
is there a way to keep them inaccessible via mass assignment and still
make this work.

In other words, in Rails 3.2.3, do I need this line in my
app/models/widgets.rb file:
attr_accessible :color_id, :shape_id

So far I've tried leaving this out, but my rspec threw a mass assignment
security error because of this line in my spec:
before { @widget = customer.widgets.build(color_id: color.id, shape_id:
shape.id) }

If I leave these attributes accessible, am I leaving a security hole
(where a user can alter a color_id or shape_id of an existing record
without authorization)? Or is it sufficient that I've scoped the
creation of a widget through a current_user?

Thanks,
Brian

Okay, so given that basic scenario, on to my questions.

My main question is whether I must keep the color_id and shape_id
attributes accessible via mass assignment in the widgets controller. Or,
is there a way to keep them inaccessible via mass assignment and still
make this work.

If you want to be able to pass hashes with color/shape_id to build/
create/update_attributes then yes, you need those attr_accessible
statements.

Regardless of what attr_accessible stuff you have, you can always do

some_widget.color_id = params[:color]

as of the current versions, build and create should take blocks so you
could do

curent_customer.widgets.create do |widget|
  widget.colour_id = params[:colour]
  ..
end

In other words, in Rails 3.2.3, do I need this line in my
app/models/widgets.rb file:
attr_accessible :color_id, :shape_id

So far I've tried leaving this out, but my rspec threw a mass assignment
security error because of this line in my spec:
before { @widget = customer.widgets.build(color_id: color.id, shape_id:
shape.id) }

That is one of the annoyances of the attr_accessible stuff (the rails
core team are currently trialling a more controller based approach -
there was a post on the rails blog not that long ago) - in specs
you'll very often want to set arbitrary attributes. If you don't mark
the attributes as accessible, one way is

before{ @widget = customer.widgets.build({color_id: color.id,
shape_id:
shape.id}, without_protection: true) }

although I find the extra verboseness a bit annoying too.

If I leave these attributes accessible, am I leaving a security hole
(where a user can alter a color_id or shape_id of an existing record
without authorization)? Or is it sufficient that I've scoped the
creation of a widget through a current_user?

It largely depends on where/how you call build/create/
update_attributes. if you only ever called them on a scoped collection
or on a widget that you have already verified belongs to the customer
and if it is OK for a user to set color_id/shape_id to an arbitrary
value then there's no downside to making them attr_accessible. Or to
look at it another way, look at everywhere you call build/create/
update_attributes and ask yourself if you're ok with those calls
setting color_id/shape_id to an arbitrary value chosen by the user.

Fred