什么是 attr_accessible(*属性)之间的差异
&放大器; attr_protected(*属性)
?例子将是很好的。
What is the difference between attr_accessible(*attributes)
& attr_protected(*attributes)
? Examples would be nice.
我看到许多开发者使用这些在他们的模型。我用Google搜索的区别,但我不明白究竟是什么。什么是重要性及其在不同场景下的必然?
I see many developers use these in their models. I googled for the differences, but I don't get exactly what they are. What is the importance and its necessity in different scenarios?
推荐答案
attr_accessible
(文档)说:指定的属性都可以访问和所有其他的保护(认为它作为白名单。)
attr_accessible
(documentation) says "the specified attributes are accessible and all others are protected" (think of it as whitelisting.)
,而
attr_protected
(文档)说:指定属性的保护和所有其他都可以访问(认为它作为黑名单。)
attr_protected
(documentation) says "the specified attributes are protected and all others are accessible" (think of it as blacklisting.)
一个的的保护属性的是一个只能显修改(例如通过的属性= 的),并且无法通过质量分配(更新例如,使用 model.update_attributes
或传递属性新
)。在尝试更新通过质量分配一个受保护的属性的行为取决于 mass_assignment_sanitizer
设置(请参阅下面的更新)。
A protected attribute is one that can only be modified explicitly (e.g. via attribute=) and can't be updated via mass assignment (e.g. using model.update_attributes
or by passing attributes to new
). The behaviour upon an attempt to update a protected attribute via mass assignment depends on the mass_assignment_sanitizer
setting (see the update below).
最典型的例子是,如果一个用户
模型有一个 is_admin
属性,你可以保护该属性为prevent表单提交,将允许任何用户设置为管理员。
The classic example would be if a User
model had an is_admin
attribute you could protect that attribute to prevent form submissions that would allow any user to be set as an administrator.
例如:
class User < ActiveRecord::Base
# explicitly protect is_admin, any new attributes added to the model
# in future will be unprotected so we need to remember to come back
# and add any other sensitive attributes here in the future
attr_protected :is_admin
end
则为:
class User < ActiveRecord::Base
# explicitly unprotect name and bio, any new attributes added to the model
# in the future will need to be listed here if we want them to be accessible
attr_accessible :name, :bio
end
现在,假设 is_admin
属性是受保护的:
Now, assuming is_admin
attribute is protected:
> u = User.find_by_name('mikej')
> u.is_admin?
false
> u.update_attributes(:name => 'new name', :is_admin => true)
> u.is_admin?
false
> u.name
"new name"
> u.is_admin = true # setting it explicitly
> u.save
> u.is_admin?
true
更新:后来版本的Rails推出的质量分配的概念消毒剂的控制在试图更新通过质量分配的保护属性的行为。在Rails 3.2和更高版本中,可通过配置设置 mass_assignment_sanitizer
进行控制。默认设置是只要登录尝试,并允许code继续执行,但标准环境配置的发展设置为:严格
这引起了作为例外的企图更新被保护的属性
Update: Later versions of Rails introduced the concept of a mass assignment sanitizer to control the behaviour upon attempts to update protected attributes via mass assignment. In Rails 3.2 and later this can be controlled by setting mass_assignment_sanitizer
in config. The default is to just log the attempts and allow code execution to continue, but the standard environment config for development sets this to :strict
which raises as exception on an attempt to update a protected attribute.
相关推荐
最新文章