Validation to make sure associations don't change?


#1

I have a main form representing the model, let’s call that ‘Order’, and
a
partial displaying its’ OrderLines.

I use the bulk update methods to initialize model objects directly from
form
data, leaving validation of business logic to the model. As AR likes to
write stuff before i do an explicit save, I wrap the whole update in a
manual transaction.

This works for valid data, but how do i deal with attacks? If people can
override either primary or foreign keys, things will get really messy.
Are validations in the model sufficient to deal with this? What happens
if i
read a row that’s just been updated, but not yet commited to the db;
I’ll
probably get the new data, so comparing to existing data will have to
happen
in the controller?

Any suggestions appreciated.


View this message in context:
http://www.nabble.com/Validation-to-make-sure-associations-don't-change--t1316282.html#a3509127
Sent from the RubyOnRails Users forum at Nabble.com.


#2

On Mar 21, 2006, at 1:05 AM, Lucifron wrote:

I use the bulk update methods to initialize model objects directly
from form
data, leaving validation of business logic to the model.

Look at attr_protected and attr_accessible

As AR likes to write stuff before i do an explicit save, I wrap the
whole
update in a manual transaction.

When does AR write “stuff” before you do an explicit save?

It doesn’t do that to me…


– Tom M.


#3

Tom M. wrote:

On Mar 21, 2006, at 1:05 AM, Lucifron wrote:

I use the bulk update methods to initialize model objects directly
from form
data, leaving validation of business logic to the model.

Look at attr_protected and attr_accessible

A combination of these and storing id’s in the session worked out fine,
thanks.

As AR likes to write stuff before i do an explicit save, I wrap the
whole
update in a manual transaction.

When does AR write “stuff” before you do an explicit save?

It doesn’t do that to me…
The “Unsaved objects and associations” section under
ActiveRecord::Associations::ClassMethods certainly gives me that
impression
(even if i haven’t bothered to actually test it. Safer to just manually
wrap the whole update in a transaction than betting on myself and the
people
i work with to know what we’re doing).

View this message in context:
http://www.nabble.com/Validation-to-make-sure-associations-don’t-change--t1316282.html#a3645920
Sent from the RubyOnRails Users forum at Nabble.com.