Rails attr_accessible gotcha

If you’re like me you inherit a lot of projects which have very different styles. Today I ran into a project that had never used attr_accessible and I found a total gotcha:

  • If there are no attr_accessible attributes on a model it’s open, any attribute can be written with .update_attributes() or a similar mass-assignment function.
  • If there is even one attr_accessible the model is closed except for those attributes defined to be attr_accessible.

So there is an implicit toggle involved in attr_accessible as well as the actual desired functionality of allowing an attribute to be mass-assigned. I’d never worked on a project that wasn’t using attr_accessible (count my lucky stars it seems) so i’d never seen this problem before.

Also, try not to confuse attr_accessor and attr_accessible. The latter is a rails security function, the former just defines an instance variable. Mass assignment, or assignment of any kind won’t really work on the former from within rails.