Project Summary
October 1, 2007 - This project is now served from the Corkboard repository. Check out http://secure-associations.warehouse.corkboardinc.com
SecureAssociationsMore often than not, I find foreign keys need to be protected from bulk updates. This plugin adds :protected option to ActiveRecord associations
ExampleLet's say you've got a model like:
class User < ActiveRecord::Base
has_many :widgets
end
class Widget < ActiveRecord::Base
belongs_to :user
endAll well and good until you get to a controller that looks like:
class WidgetsController < ApplicationController
def create
@widget = current_user.widgets.build(params[:widget])
if @widget.save
redirect_to widgets_url
else
render :action=>'edit'
end
end
endAny user could inject widgets into another user with by POST'ing:
:widget=>{:name=>'ownage', :user_id=>'1'}Solution? Protect the user attributes of Widget
class Widget < ActiveRecord::Base
belongs_to :user
attr_protected :user, :user_id
endOf course both user and user_id need to be protected since both can be assigned through the build or update_attributes method.
Enter SecureAssociationsRather than clutter up models with lots of attr_protected calls, SecureAssociations provides a shorthand hook so you'll never forget:
class Widget < ActiveRecord::Base
belongs_to :user, :protected=>true
endThe :protected attribute currently works on belongs_to and has_many.
InstallationInside your Rails project do:
script/plugin install http://secure-associations.googlecode.com/svn/plugins/secure_associationsSince this plug is still under active development, you may want to link the source directly to the repository. Whenever you do svn update on your project, secure_associations will also update
script/plugin install -x http://secure-associations.googlecode.com/svn/plugins/secure_associations
