explain why we also add attr_accessible in the model

1 files changed, 16 insertions, 1 deletions

diff --git a/guides/source/getting_started.textile b/guides/source/getting_started.textile
index 8f752524e9..c105007a1a 100644
--- a/guides/source/getting_started.textile
+++ b/guides/source/getting_started.textile
@@ -652,7 +652,7 @@ TIP: In development mode (which is what you're working in by default), Rails
 reloads your application with every browser request, so there's no need to stop
 and restart the web server when a change is made.
 
-h4. Adding Some Validation
+h4. Allowing the update of fields
 
 The model file, +app/models/post.rb+ is about as simple as it can get:
 
@@ -667,6 +667,21 @@ your Rails models for free, including basic database CRUD (Create, Read, Update,
 Destroy) operations, data validation, as well as sophisticated search support
 and the ability to relate multiple models to one another.
 
+Rails includes methods to help you secure some of your model fields.
+Open the +app/models/post.rb+ file and edit it:
+
+<ruby>
+class Post < ActiveRecord::Base
+  attr_accessible :text, :title
+end
+</ruby>
+
+This change will ensure that all changes made through HTML forms can edit the content of the text and title fields.
+It will not be possible to define any other field value through forms. You can still define them by calling the `field=` method of course.
+Accessible attributes and the mass assignment probem is covered in details in the "Security guide":security.html#mass-assignment
+
+h4. Adding Some Validation
+
 Rails includes methods to help you validate the data that you send to models.
 Open the +app/models/post.rb+ file and edit it: