I've only been working with Rails for a few months now so I may be missing something obvious, but if an attribute is protected from mass assignment by attr_accessible, or attr_protected, how do you set that attribute when you first create a record? (And do it in a way that is still secure.)
我现在只使用Rails几个月了,所以我可能会遗漏一些明显的东西,但是如果attr_accessible或attr_protected保护了一个属性不受质量分配的影响,那么在第一次创建记录时如何设置该属性? (以一种仍然安全的方式进行。)
For example:
Say I'm working on an application that keeps track of different procedures and processes that employees in a company have been trained on.
假设我正在开发一个应用程序,该应用程序可以跟踪公司员工接受过培训的不同程序和流程。
As part of this application, I have three models: User, Course, and TrainingClass. User represents employees, Course represents different things employees can be trained on, and TrainingClass represents a specific class in which employees will be trained on a course.
作为此应用程序的一部分,我有三个模型:User,Course和TrainingClass。用户代表员工,课程代表员工可以接受的不同培训,TrainingClass代表一个特定的班级,员工将接受培训。
The TrainingClass has a belongs_to relationship with both the Course model (because a class is basically just a specific instance of a course) and the User model (because the class has a single instructor, who is the user who creates the TrainingClass). Similarly, the Course and User models both have a has_many relationship with the TrainingClass model.
TrainingClass与Course模型(因为类基本上只是课程的特定实例)和User模型(因为类有一个教师,即创建TrainingClass的用户)具有belongs_to关系。同样,课程和用户模型都与TrainingClass模型具有has_many关系。
Based on that information, how would I go about creating a new record for TrainingClass?
根据这些信息,我将如何为TrainingClass创建新记录?
I could say:
我可以说:
course.training_classes.build(user_id: user.id)
or
user.training_classes.build(course_id: course.id)
But wouldn't that be mass assignment on the user_id or course_id attributes?
但这不是user_id或course_id属性的批量分配吗?
What would be the best way to do this while still keeping the application secure?
在保持应用程序安全的同时,最好的方法是什么?
1 个解决方案
#1
3
Read about Mass Assignment Security, specifically roles.
阅读Mass Assignment Security,特别是角色。
You could have
你可以有
class TraningClass < ActiveRecord::Base
attr_accessible .....
attr_accessible ....., :user_id, as: :create
end
Where ...... is your list of other attributes you want accessible for mass assignment. Then when you call build, you'll pass that role
其中......是您希望进行批量分配的其他属性列表。然后当你调用build时,你将通过该角色
course.training_classes.build({user_id: user.id}, as: :create)
Repeat similarly for your other models. The default role will be used (the first one) unless you specify the :create role when calling build, create!, etc...
对其他型号重复类似。除非在调用build,create!等时指定:create role,否则将使用默认角色(第一个)...
#1
3
Read about Mass Assignment Security, specifically roles.
阅读Mass Assignment Security,特别是角色。
You could have
你可以有
class TraningClass < ActiveRecord::Base
attr_accessible .....
attr_accessible ....., :user_id, as: :create
end
Where ...... is your list of other attributes you want accessible for mass assignment. Then when you call build, you'll pass that role
其中......是您希望进行批量分配的其他属性列表。然后当你调用build时,你将通过该角色
course.training_classes.build({user_id: user.id}, as: :create)
Repeat similarly for your other models. The default role will be used (the first one) unless you specify the :create role when calling build, create!, etc...
对其他型号重复类似。除非在调用build,create!等时指定:create role,否则将使用默认角色(第一个)...