I have a main form representing the model, let’s call that ‘Order’, and
a
partial displaying its’ OrderLines.
I use the bulk update methods to initialize model objects directly from
form
data, leaving validation of business logic to the model. As AR likes to
write stuff before i do an explicit save, I wrap the whole update in a
manual transaction.
This works for valid data, but how do i deal with attacks? If people can
override either primary or foreign keys, things will get really messy.
Are validations in the model sufficient to deal with this? What happens
if i
read a row that’s just been updated, but not yet commited to the db;
I’ll
probably get the new data, so comparing to existing data will have to
happen
in the controller?
Any suggestions appreciated.
–
View this message in context:
http://www.nabble.com/Validation-to-make-sure-associations-don't-change--t1316282.html#a3509127
Sent from the RubyOnRails Users forum at Nabble.com.
On Mar 21, 2006, at 1:05 AM, Lucifron wrote:
I use the bulk update methods to initialize model objects directly
from form
data, leaving validation of business logic to the model.
Look at attr_protected and attr_accessible
As AR likes to write stuff before i do an explicit save, I wrap the
whole
update in a manual transaction.
When does AR write “stuff” before you do an explicit save?
It doesn’t do that to me…
–
– Tom M.
Tom M. wrote:
On Mar 21, 2006, at 1:05 AM, Lucifron wrote:
I use the bulk update methods to initialize model objects directly
from form
data, leaving validation of business logic to the model.
Look at attr_protected and attr_accessible
A combination of these and storing id’s in the session worked out fine,
thanks.
As AR likes to write stuff before i do an explicit save, I wrap the
whole
update in a manual transaction.
When does AR write “stuff” before you do an explicit save?
It doesn’t do that to me…
The “Unsaved objects and associations” section under
ActiveRecord::Associations::ClassMethods certainly gives me that
impression
(even if i haven’t bothered to actually test it. Safer to just manually
wrap the whole update in a transaction than betting on myself and the
people
i work with to know what we’re doing).
–
View this message in context:
http://www.nabble.com/Validation-to-make-sure-associations-don’t-change--t1316282.html#a3645920
Sent from the RubyOnRails Users forum at Nabble.com.