How to secure records??

This is best practice in Rails anyway, but you should protect certain
attributes of your Model from being mass assigned - for example in the
way you've defined below by editing a form source and resubmitting.

The way to do that is to use the attr_protected command in your model
to declare attributes that can only be set manually in your code. They
cannot be set using bulk assignments from outside such as
Model.create(params[:model]).

e.g.

class Company < ActiveRecord::Base
  attr_protected :user_id
end

Alternatively you can use attr_accessible to explicitly declare which
fields can be mass assigned from form query parameters. It's up to you
as to which of the opt-in or opt-out models you go for.

There's more information on this in section 21.4 ("Creating Records
Directly from Form Parameters") in chapter 21 ("Securing Your Rails
Application") of the Agile Web Development with Rails book. It's really
worth reading as it covers this and many other factors in securing code
- if so, go for the 2nd Edition beta book available at Pragmatic
Programmers as it is covering the more recent changes to the Rails
codebase.

Ian

Bbkr I juz wrote: