cainlevy wrote: > Which points to an interesting question -- should the model or the > controller be responsible for filtering the attributes? That is, > should the burden be on the model to only assign allowed parameters, > or the controller to only pass allowed parameters? It certainly seems > simple to do it from the controller using something like your > Hash#pick method, but I think it's safer to do it from the model. For > example, if the model is responsible for filtering assignable > attributes, it may create an intelligent default blacklist for cases > where the developer has paid no attention. > > I've just about finished a patch to implement AR::Base#assign > (attributes, allowed_attributes). In the process I've realized that > allowed_attributes can simply be an override to attr_accessible/ > attr_protected, which makes for an easily backwards compatible API > update. So that'll be my first ticket.
I don't think this massive change to the api is justified. You're introducing complexity for all users to support a few cases which, while hardly rare, aren't 100% of user's requirements. It should be trivial for you to implement this as a plugin to see if people prefer this approach to specifying assignable attributes. If that picks up momentum we can look at pulling it in to rails. In the meantime users can already do: @user.attributes = params[:user].slice(:email, :password, :password_confirmation) or @user.attributes = params[:user].except(:admin) > I'd really prefer to remove attr_accessible/attr_protected altogether > as I believe they are in all ways inferior to the new approach and > would only serve to clutter the API in the name of backwards > compatibility. But that's a secondary concern, and will be in a second > ticket that may be evaluated independently. attr_accessible and friends are a great simple solution for a really common case. We shouldn't lose sight of that just because there are some cases where they're not perfect. -- Cheers, Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
