Forum: Ruby on Rails Validation to make sure associations don't change?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Lucifron (Guest)
on 2006-03-21 11:06
(Received via mailing list)
I have a main form representing the model, let's call that 'Order', and
a
partial displaying its' OrderLines.

I use the bulk update methods to initialize model objects directly from
form
data, leaving validation of business logic to the model. As AR likes to
write stuff before i do an explicit save, I wrap the whole update in a
manual transaction.

This works for valid data, but how do i deal with attacks? If people can
override either primary or foreign keys, things will get really messy.
Are validations in the model sufficient to deal with this? What happens
if i
read a row that's just been updated, but not yet commited to the db;
I'll
probably get the new data, so comparing to existing data will have to
happen
in the controller?

Any suggestions appreciated.

--
View this message in context:
http://www.nabble.com/Validation-to-make-sure-asso...
Sent from the RubyOnRails Users forum at Nabble.com.
Tom M. (Guest)
on 2006-03-21 18:33
(Received via mailing list)
On Mar 21, 2006, at 1:05 AM, Lucifron wrote:

> I use the bulk update methods to initialize model objects directly
> from form
> data, leaving validation of business logic to the model.

Look at attr_protected and attr_accessible

> As AR likes to write stuff before i do an explicit save, I wrap the
> whole
> update in a manual transaction.

When does AR write "stuff" before you do an explicit save?

It doesn't do that to me...

--
-- Tom M.
Lucifron (Guest)
on 2006-03-29 12:34
(Received via mailing list)
Tom M. wrote:
>
> On Mar 21, 2006, at 1:05 AM, Lucifron wrote:
>
>> I use the bulk update methods to initialize model objects directly
>> from form
>> data, leaving validation of business logic to the model.
>
> Look at attr_protected and attr_accessible

A combination of these and storing id's in the session worked out fine,
thanks.



>> As AR likes to write stuff before i do an explicit save, I wrap the
>> whole
>> update in a manual transaction.
>
> When does AR write "stuff" before you do an explicit save?
>
> It doesn't do that to me...
The "Unsaved objects and associations" section under
ActiveRecord::Associations::ClassMethods certainly gives me that
impression
(even if i haven't bothered to actually  test it. Safer to just manually
wrap the whole update in a transaction than betting on myself and the
people
i work with to know what we're doing).
--
View this message in context:
http://www.nabble.com/Validation-to-make-sure-asso...
Sent from the RubyOnRails Users forum at Nabble.com.
This topic is locked and can not be replied to.