Joshua M. wrote:
Using the URL localhost:3000/members/edit/1 I can edit all attributes,
including created_at, lock_version etc.! But it should only show the
attributes I listed in attr_accessible!
What is wrong here? Thanks for help.
That’s not what attr_accessible controls. All attr_accessible does is
put a guard on the other attributes so that they can’t be used in mass
assignments - for example this works:
member = Member.new(:username => ‘Foo’, :email => ‘email@example.com’)
Whereas this won’t:
member = Member.new(:username => ‘Foo’, :lock_version => 57)
The lock_version assignment will just get ignored.
The scaffolded code is rather simplistic - don’t expect it to do all the
work for you. There’s no method I can find that gives you a list of
accessible attributes, so if you want to use attr_accessible to control
the visible columns, you’ll need to define yourself your own method.