Topic: attr_accessible question

So say I have four tables: colors, shapes, customers, and widgets.

Here are the schemas:

Table name: colors
id              :integer
color         :string

Table name: shapes
id              :integer
shape       :string

Table name: customers
id              :integer
customer  :string

Table name: widgets
id                  :integer
color_id         :integer
shape_id       :integer
customer_id  :integer

The relationships are as you might expect:
colors, shapes, and customers all have many widgets, and
widgets belongs to colors, shapes, and customers.

When I want to create a new widget, I scope it through a customer, roughly like this:
customer.widgets.create(color_id: xxx, shape_id: xxx)

Most likely the color and shape id's are pulled from a params passed in from a form, which gets submitted by a logged-in customer.

Okay, so given that basic scenario...

My question is whether I must keep the color_id and shape_id attributes accessible via mass assignment.

In other words, in Rails 3.2.3, must I have this line in my app/models/widgets.rb file:

attr_accessible :color_id, :shape_id

So far I've tried leaving them out, but my rspec threw a mass assignment security error because of this line:

before { @widget =, shape_id: }

If I must leave these attributes accessible, am I leaving a security hole open? Or am I okay by adding a before_filter in the marks controller that basically requires the correct user for an edit action?

Last edited by Brian71 (2012-04-19 10:40:45)