diff options
| author | Frederick Cheung <frederick.cheung@gmail.com> | 2009-01-25 12:50:38 +0000 |
|---|---|---|
| committer | Frederick Cheung <frederick.cheung@gmail.com> | 2009-01-25 12:50:38 +0000 |
| commit | cbb6cfd20449d518a703715e1308dc2e2cf4a62a (patch) | |
| tree | f9498d9ce244c3cd51fbc3af9c392427260eb258 /railties/doc/guides | |
| parent | c6dbd5f45b53c54caf5a066dc66bc43c50108daf (diff) | |
| download | rails-cbb6cfd20449d518a703715e1308dc2e2cf4a62a.tar.gz rails-cbb6cfd20449d518a703715e1308dc2e2cf4a62a.tar.bz2 rails-cbb6cfd20449d518a703715e1308dc2e2cf4a62a.zip | |
point people in the direction of attr_accessible etc...
Diffstat (limited to 'railties/doc/guides')
| -rw-r--r-- | railties/doc/guides/source/form_helpers.txt | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/railties/doc/guides/source/form_helpers.txt b/railties/doc/guides/source/form_helpers.txt index de8ef9436b..1025dc8baf 100644 --- a/railties/doc/guides/source/form_helpers.txt +++ b/railties/doc/guides/source/form_helpers.txt @@ -445,6 +445,8 @@ If you specify `city` instead of `city_id` Active Record will raise an error alo ActiveRecord::AssociationTypeMismatch: City(#17815740) expected, got String(#1138750) -------- when you pass the `params` hash to `Person.new` or `update_attributes`. Another way of looking at this is that form helpers only edit attributes. + +You should also be aware of the potential security ramifications of allowing users to edit foreign keys directly. You may wish to consider the use of `attr_protected` and `attr_accessible`. For further details on this, see the link:security.html#_mass_assignment[Ruby On Rails Security Guide]. ============================ Option tags from a collection of arbitrary objects |