I don’t like the idea of attr_protected, and attr_accessible in ActiveRecord.
- They makes me put more code in the controller, and sometimes worse, I’m forced to express model ideas in the controller.
- They make me put things in the model that should be handled by the controller.
From the Rails API docs:
This is meant to protect sensitive attributes from being overwritten by URL/form hackers.
That’s what the freaking controller is for.
Give me param_protected and param_accessible. Instead of:
class Customer < ActiveRecord::Base
attr_protected :credit_rating
end
class CustomersController < Application
...
def extra_crap_i_dont_need
...
@customer.credit_rating = :foo
end
end
I want:
class CustomersController < Application
param_protected :customer => [:credit_rating, :etc]
end
If no one else has done it (I haven’t looked yet), perhaps I will.
Definitely ripe for a plugin, so we can see if it is a good replacement. I think… I may agree with you on here. This makes it easier to tweak attributes depending on user permissions, for example. For instance, use a different attributes before_filter for admins vs normal users…
Hey. You are absolutely right! I’ve been thinking about this issue, but I didn’t thought about moving it to controller. Now I’m pretty sure, that is correct solution. I’ll try to write plugin for that.
Thanks guys, I’m working on the plugin now.
See http://merb.devjavu.com/ticket/303 … I’m adding this to Merb for 0.4.2. Excellent idea!
Well, it took a while, but this is now an official Merb plugin: merb_param_protection.
I completely agree with you (after the nightmare code refactoring job after trying attr_protected). I’ll be looking at merb_param_protection … thanks for that, btw.
Ok, I made the Rails plugin…
http://blog.stochasticbytes.com/2008/01/paramprotected.html