Rails 2.0 turn on mass assignment

Can anyone tell me how to turn on mass assignment in rails 2.0. I am facing a problem accessing a value of an attr_protected value sat by a plugin I am using. I need this value to be assigned to a modle object but it is silently discarded. Please help.

if it's only one attribute, why not just assign with:

@object.update_attribute(:attribute, value)

Protected attributes are ignored in mass-assignment, that's the whole point of attr_protected!

If the plugin sets the attribute with regular assignment it will get saved anyway, I mean this sequence updates the protected attribute:

    model.protected_attribute = value     if model.update_attributes(params[:model])       # protected was updated to value, no matter       # what params[:model] has about it     end

If the plugin uses mass-assignemnt itself either the atribute cannot be protected or else you need to patch the plugin.

-- fxn

Correct! The OP should think about WHY the plugin is protecting the attribute from mass assignment.

The reason this gets done in general is for security, to keep a bad-guy user from changing things that shouldn't be (passwords? permissions? ....) by forging uri's with say, additionally query parameters in the URI.


The real problem I am facing here is the plugin I use (acts_as_better_nested_set) declares the column "parent_id" as attr_protected which I need in a controller to reffer to the parent object of the cutrrent node (I doubt this plugin was written prior to Rails 2.0). I send parent_id as a hidden field value from view to the controller where its get discarded. (I am creating a category tree here)

in categories_controller

def create     @category = Category.new(params[:category])     pid = params[:category][:parent_id]     if(!@pid.blank?)       parent = Category.find_by_parent_id(@pid)       parent.add_child(@category) #error here     end #other stuff end

parent.add_child(@category) is the code where the error is thrown. It says "a category can not be found without an Id".

do you have any ideas?

You need to trust the plugin as a working assumption and tune your expectations. If the attribute is protected there may be a good reason, in principle a plugin author does not write

     attr_protected acts_as_nested_set_options[:left_column].intern,                      acts_as_nested_set_options[:right_column].intern,                      acts_as_nested_set_options[:parent_column].intern

just arbitrarily. It could happen it is unnecessary, but the best hypotheses to work on is it isn't.

This structure needs some housekeeping for the right/left/parent columns and I bet the library user is not supposed to deal with parent_id directly, I guess you must go always through the API to establish relationships.

-- fxn

Thanks a lot. I followed the plugin API and it worked.