1

This probably sounds like a silly question to seasoned Rails developer. Do I need to protect against mass-assignment if a model does not have an associated controller? I'm guessing that I don't need to, but it would be great if anyone could confirm this.

Also, what about the scenario where there is a controller but no route to the create/update/destroy actions?

Thanks, Noel

Michael Durrant
  • 93,410
  • 97
  • 333
  • 497
noelob
  • 460
  • 5
  • 14

1 Answers1

2

I would say yes as a different controller (or a library method, cron job, delayed job, etc.) could now (or in the future) do an update on this model and thus raise the mass assignment issue of concern.

The route question depends a lot on rails version.

Rails2 usually has a default route that might get it to the controller.

Rails3 is more restrictive and does need a specified route unless the rails2 style default is added.

Michael Durrant
  • 93,410
  • 97
  • 333
  • 497
  • 1
    "a different controller could now (or in the future) do an update" or a library method, cron job, delayed job, ... Models and controllers (and other classes) should stand on their own as much as possible and that's pretty much your point so +1. – mu is too short Jan 01 '12 at 17:59
  • Thanks for your answers guys, that makes perfect sense once explained. – noelob Jan 02 '12 at 16:15