can a malicious user somehow change the :body,:sender_id,:recipient_id of the original message?
This would depend on other things rather than attr_accesible
. attr_accesible
will only filter which fields are allowed to be updated using mass assignment. Since you say you don't have any update
action, then no, there is now way a user can edit a message since you always create a new Message
through you create action.
But there is something you need to care about. What is sender_id
? If you do have users in your app and they send messages to each others, then sender_id
should not be an accessible field, since this will allow users to send messages on behalf of other users. You probably want to keep that field off the attr_accessible
list and do something like this:
m = Message.new params[:message] # body and recipient_id
m.sender_id = current_user.id # this is not mass assignment
m.save
.....