How to secure records??

This is best practice in Rails anyway, but you should protect certain attributes of your Model from being mass assigned - for example in the way you've defined below by editing a form source and resubmitting.

The way to do that is to use the attr_protected command in your model to declare attributes that can only be set manually in your code. They cannot be set using bulk assignments from outside such as Model.create(params[:model]).

e.g.

class Company < ActiveRecord::Base   attr_protected :user_id end

Alternatively you can use attr_accessible to explicitly declare which fields can be mass assigned from form query parameters. It's up to you as to which of the opt-in or opt-out models you go for.

There's more information on this in section 21.4 ("Creating Records Directly from Form Parameters") in chapter 21 ("Securing Your Rails Application") of the Agile Web Development with Rails book. It's really worth reading as it covers this and many other factors in securing code - if so, go for the 2nd Edition beta book available at Pragmatic Programmers as it is covering the more recent changes to the Rails codebase.

Ian

Bbkr I juz wrote: