Rails is quite careful against several kinds of injections. And this can be confusing.
attr_accessible
is a Rails thing, similar to the Ruby Module method attr_accessor
, yet different. attr_accessible
does allow access to the specified arguments, much in the same way as attr_accessor
(the object gets "getters" and "setters"). attr_accessible
does also more work to protect against injections.
When a parameter dictionary is passed to create an object, each parameter is checked against the whitelist defined by attr_accessible
. If the parameter belongs to the list, it gets assigned and persisted. If not, the mass-assignment security error is raised to prevent any unwanted assignment---a potential security hole. attr_accessor
does not do all that, as it does not make sense in plain Ruby.
Now card_number
and card_verification
should not be persisted according to your specifications. They belong to the logic related to cash transaction only, so choosing instance attributes seems a good choice at this point. As plain attributes of CashTransaction instances, they need be treated as such, with plain Ruby access methods. The short answer to all that is @gylaz'.
Wordy feedbacks above. For concrete examples, the ActiveModel's code and related comments are very informative.