Lucifron
2006-Mar-21 09:05 UTC
[Rails] Validation to make sure associations don''t change?
I have a main form representing the model, let''s call that ''Order'', and a partial displaying its'' OrderLines. I use the bulk update methods to initialize model objects directly from form data, leaving validation of business logic to the model. As AR likes to write stuff before i do an explicit save, I wrap the whole update in a manual transaction. This works for valid data, but how do i deal with attacks? If people can override either primary or foreign keys, things will get really messy. Are validations in the model sufficient to deal with this? What happens if i read a row that''s just been updated, but not yet commited to the db; I''ll probably get the new data, so comparing to existing data will have to happen in the controller? Any suggestions appreciated. -- View this message in context: http://www.nabble.com/Validation-to-make-sure-associations-don%27t-change--t1316282.html#a3509127 Sent from the RubyOnRails Users forum at Nabble.com.
Tom Mornini
2006-Mar-21 16:33 UTC
[Rails] Validation to make sure associations don''t change?
On Mar 21, 2006, at 1:05 AM, Lucifron wrote:> I use the bulk update methods to initialize model objects directly > from form > data, leaving validation of business logic to the model.Look at attr_protected and attr_accessible> As AR likes to write stuff before i do an explicit save, I wrap the > whole > update in a manual transaction.When does AR write "stuff" before you do an explicit save? It doesn''t do that to me... -- -- Tom Mornini
Lucifron
2006-Mar-29 08:34 UTC
[Rails] Validation to make sure associations don''t change?
Tom Mornini wrote:> > On Mar 21, 2006, at 1:05 AM, Lucifron wrote: > >> I use the bulk update methods to initialize model objects directly >> from form >> data, leaving validation of business logic to the model. > > Look at attr_protected and attr_accessibleA combination of these and storing id''s in the session worked out fine, thanks.>> As AR likes to write stuff before i do an explicit save, I wrap the >> whole >> update in a manual transaction. > > When does AR write "stuff" before you do an explicit save? > > It doesn''t do that to me...The "Unsaved objects and associations" section under ActiveRecord::Associations::ClassMethods certainly gives me that impression (even if i haven''t bothered to actually test it. Safer to just manually wrap the whole update in a transaction than betting on myself and the people i work with to know what we''re doing). -- View this message in context: http://www.nabble.com/Validation-to-make-sure-associations-don%27t-change--t1316282.html#a3645920 Sent from the RubyOnRails Users forum at Nabble.com.