Forum: Ruby on Rails Scaffold shows all attributes altough I use attr_accessible!

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Fc582698581884352e745d1d4c64699d?d=identicon&s=25 Joshua Muheim (josh)
on 2006-01-12 15:27
Hi all

I have a Model like this:

class Member < ActiveRecord::Base
  attr_accessible :username, :email, :first_name, :last_name
end

I have created a scaffold using script/generate scaffold member members

Using the URL localhost:3000/members/edit/1 I can edit all attributes,
including created_at, lock_version etc.! But it should only show the
attributes I listed in attr_accessible!

What is wrong here? Thanks for help.
Josh
Ad7805c9fcc1f13efc6ed11251a6c4d2?d=identicon&s=25 Alex Young (Guest)
on 2006-01-12 15:56
(Received via mailing list)
Joshua Muheim wrote:
> Using the URL localhost:3000/members/edit/1 I can edit all attributes,
> including created_at, lock_version etc.! But it should only show the
> attributes I listed in attr_accessible!
>
> What is wrong here? Thanks for help.
> Josh
>

That's not what attr_accessible controls.  All attr_accessible does is
put a guard on the other attributes so that they can't be used in mass
assignments - for example this works:

   member = Member.new(:username => 'Foo', :email => 'Bar@qex.org')

Whereas this won't:

   member = Member.new(:username => 'Foo', :lock_version => 57)

The lock_version assignment will just get ignored.

The scaffolded code is rather simplistic - don't expect it to do all the
work for you.  There's no method I can find that gives you a list of
accessible attributes, so if you want to use attr_accessible to control
the visible columns, you'll need to define yourself your own method.
Fc582698581884352e745d1d4c64699d?d=identicon&s=25 Joshua Muheim (josh)
on 2006-01-12 16:02
Thank you. Maybe this solves my problem?

http://perens.com/FreeSoftware/ModelSecurity/
58c44a4a506d878f9a112f1d7b7cb87e?d=identicon&s=25 Jeremy Evans (Guest)
on 2006-01-12 18:16
(Received via mailing list)
On 1/12/06, Joshua Muheim <forum@josh.ch> wrote:
> Using the URL localhost:3000/members/edit/1 I can edit all attributes,
> including created_at, lock_version etc.! But it should only show the
> attributes I listed in attr_accessible!

If you use the Scaffolding Extensions plugin, it allows you to choose
which columns are displayed in the scaffold.  Of course, if you are
generating the scaffold, you'd be better off just modifying the output
of the generator.
Fc582698581884352e745d1d4c64699d?d=identicon&s=25 Joshua Muheim (josh)
on 2006-01-12 20:44
Jeremy Evans wrote:
> On 1/12/06, Joshua Muheim <forum@josh.ch> wrote:
>> Using the URL localhost:3000/members/edit/1 I can edit all attributes,
>> including created_at, lock_version etc.! But it should only show the
>> attributes I listed in attr_accessible!
>
> If you use the Scaffolding Extensions plugin, it allows you to choose
> which columns are displayed in the scaffold.  Of course, if you are
> generating the scaffold, you'd be better off just modifying the output
> of the generator.

Thanks for the hint. Because it is not standard, I stick to the normal
scaffolding and hope that such advanced features will be added soon.
6dab365a82517fb694650a57ee88e4a4?d=identicon&s=25 joey__ (Guest)
on 2006-01-12 20:52
Joshua Muheim wrote:
> Jeremy Evans wrote:
>> On 1/12/06, Joshua Muheim <forum@josh.ch> wrote:
>>> Using the URL localhost:3000/members/edit/1 I can edit all attributes,
>>> including created_at, lock_version etc.! But it should only show the
>>> attributes I listed in attr_accessible!
>>
>> If you use the Scaffolding Extensions plugin, it allows you to choose
>> which columns are displayed in the scaffold.  Of course, if you are
>> generating the scaffold, you'd be better off just modifying the output
>> of the generator.
>
> Thanks for the hint. Because it is not standard, I stick to the normal
> scaffolding and hope that such advanced features will be added soon.

I hope features won't make it into scaffolding. Scaffold shouldn't
really make the basis of an app. If you can't edit the _form.rhtml file
to comment/delete the columns,then you need to do more reading into RoR.
Ad7805c9fcc1f13efc6ed11251a6c4d2?d=identicon&s=25 Alex Young (Guest)
on 2006-01-12 22:00
(Received via mailing list)
Joshua Muheim wrote:
>
> Thanks for the hint. Because it is not standard, I stick to the normal
> scaffolding and hope that such advanced features will be added soon.
I don't think there's much chance of that.  The scaffolding extensions
have been around for a while now, and not got any closer to the core.
DHH has his own reasons which, while I am sure they are cogent and well
thought out, temporarily escape me :-)
Ad7805c9fcc1f13efc6ed11251a6c4d2?d=identicon&s=25 Alex Young (Guest)
on 2006-01-12 22:07
(Received via mailing list)
joey__ wrote:
> I hope features won't make it into scaffolding. Scaffold shouldn't
> really make the basis of an app. If you can't edit the _form.rhtml file
> to comment/delete the columns,then you need to do more reading into RoR.
There's arguments both ways.  It's not just a matter of being competent
to edit your own form - scaffolding could potentially be extended to
give Rails a continuation framework, if anyone felt so inclined.  Code
generation is, in general, the *right* thing to do.
58c44a4a506d878f9a112f1d7b7cb87e?d=identicon&s=25 Jeremy Evans (Guest)
on 2006-01-12 22:34
(Received via mailing list)
On 1/12/06, Joshua Muheim <forum@josh.ch> wrote:
> Thanks for the hint. Because it is not standard, I stick to the normal
> scaffolding and hope that such advanced features will be added soon.

As other people have mentioned, that's unlikely to happen.  If you
want basic scaffolding, use the default scaffold command in Rails.  If
you want fully custom code, generating a default scaffold and
modifying may be a good idea.  If you have many tables and just want
semicustom admin forms for them, it'll be a lot faster to use the
Scaffolding Extensions plugin and add a few lines of scaffold
configuration code to each model than it would be to generate default
scaffolds and modify them all by hand (especially if your schema may
change).
Eeba234182bcbd7faed9ff52e233394d?d=identicon&s=25 Douglas Livingstone (Guest)
on 2006-01-14 15:16
(Received via mailing list)
2006/1/12, Alex Young <alex@blackkettle.org>:
> There's arguments both ways.  It's not just a matter of being competent
> to edit your own form - scaffolding could potentially be extended to
> give Rails a continuation framework, if anyone felt so inclined.  Code
> generation is, in general, the *right* thing to do.
>

In the sense that code generation is better than manual copy-pasting.
It is *not* better than removing code duplication in the first place.

Douglas
This topic is locked and can not be replied to.