Search code examples
ruby-on-rails-4strong-parametersattr-accessible

Difference between attr_accessible and strong parameters

I have just been doing a bit of reading on attr_accessor, attr_accessible and strong parameters at a few different locations:

Difference between attr_accessor and attr_accessible
How is attr_accessible used in Rails 4? http://edgeapi.rubyonrails.org/classes/ActionController/StrongParameters.html

And I am looking at mass assignment:

http://code.tutsplus.com/tutorials/mass-assignment-rails-and-you--net-31695

I can't get my head around the difference between attr_accessible and strong parameters. I am not 100% confident in my understanding of the subjects mentioned above so I could be missing something simple but I know they do a similar job.

However, what is the difference between attr_accessible and strong parameters? Are they just a different name for the same thing? Why did we move from one to the other?

Any info is appreciated.

Solution

  • attr_accessible has been deprecated in Rails 4 in favor of Strong Parameters.

    Both are different approaches to the mass assignment problem but Strong Parameters is more flexible.

    In example, you have an Usermodel with the attributes email:string and is_admin:boolean. You wish to allow the users to modify their email through a form but not the is_admin field.

    In Rails 3 you should do:

    attr_accesible :email

    With this approach it's not possible for an user to modify is_admin because that attribute is protected.

    One of the good things of Strong Parameters is that you could do the following in your controller:

    def user_params
  if current_user.admin?
    params.require(:user).permit(:email, :is_admin)
  else
    params.require(:user).permit(:email)
  end
end

    This way one admin user will be able to modify is_admin while a normal user won't.

    This is just one example and not the best way to grant administrative permissions to an user but it's quite illustrative.

    The main advantage of Strong Parameters is that they are defined in the controller and can be dynamically assigned in run time. attr_accessible was a more static and monolithic way to whitelist attributes.

    On the other hand attr_accessor is completely different thing and still can be used in Rails 4, in example, if you need one attribute in your model that it's not necessary to persist or to be written into the database but you require it in a form. Think about:

    attr_accessor :has_accepted_legal_terms

    It's a Ruby method that can be used to declare an attribute of your model that is not related to the database, an attribute of a Class or PORO (plain old ruby object).