From cbb6cfd20449d518a703715e1308dc2e2cf4a62a Mon Sep 17 00:00:00 2001 From: Frederick Cheung Date: Sun, 25 Jan 2009 12:50:38 +0000 Subject: point people in the direction of attr_accessible etc... --- railties/doc/guides/source/form_helpers.txt | 2 ++ 1 file changed, 2 insertions(+) (limited to 'railties/doc/guides') diff --git a/railties/doc/guides/source/form_helpers.txt b/railties/doc/guides/source/form_helpers.txt index de8ef9436b..1025dc8baf 100644 --- a/railties/doc/guides/source/form_helpers.txt +++ b/railties/doc/guides/source/form_helpers.txt @@ -445,6 +445,8 @@ If you specify `city` instead of `city_id` Active Record will raise an error alo ActiveRecord::AssociationTypeMismatch: City(#17815740) expected, got String(#1138750) -------- when you pass the `params` hash to `Person.new` or `update_attributes`. Another way of looking at this is that form helpers only edit attributes. + +You should also be aware of the potential security ramifications of allowing users to edit foreign keys directly. You may wish to consider the use of `attr_protected` and `attr_accessible`. For further details on this, see the link:security.html#_mass_assignment[Ruby On Rails Security Guide]. ============================ Option tags from a collection of arbitrary objects -- cgit v1.2.3