mass_assignment_authorizer and nested attributes

I'm using dynamic attr_accessible as per this article:

http://asciicasts.com/episodes/237-dynamic-attr-accessible

It works fine. But I haven't found an elegant way to make it work with nested attributes. Here's some simplified code:

class Company < ActiveRecord::Base
  has_many :employees

  accepts_nested_attributes_for :employees
end

class Employee < ActiveRecord::Base
  belongs_to :company

  attr_protected :salary

  attr_accessor :accessible

  def mass_assignment_authorizer  
    if accessible == :all
      ActiveModel::MassAssignmentSecurity::BlackList.new
    else
      super + (accessible || [])
    end
  end 
end

Let's say I have an admin interface with a RESTful form for a Company. On this form, I have fields for employees_attributes, including blank fields to create new Employees. I can't find a way to call Employee#accessible= in this context. Browsing through the ActiveRecord source code, it seems that this might be impossible: in the remotest part of a very deep call stack, nested associations just result in Employee.new being called with the attributes.

I'd thought about creating a special attribute that could be passed in through mass assignment. If the attribute's value were the right code, the Employee instance would set @accessible to :all. But I don't think there's a way to guar开发者_如何转开发antee that this attribute gets set before the protected attributes.

Is there any way to make dynamic protected attributes work with nested attributes?

---

I'm new to rails, and have had boatloads of trouble trying to get nested attributes to work myself, but I found that I had to add the nested attributes to my accessible list.

class Company < ActiveRecord::Base
  has_many :employees

  accepts_nested_attributes_for :employees

  attr_accessible :employees_attributes
end

My understanding is that accepts_nested_attributes_for creates that special employees_attributes, but when you default all attributes to non-accessible (which I believe the asciicast does) you won't be able to use it.

I hope that helps.

---

This seems to me like something that could be set directly from your controller code on the class for this request. E.g.

Employee.accessible = :all
Company.create(params[:company])
Employee.accessible = nil

Which could be extracted to a block like

def with_accessible(*types)
  types.flatten!
  types.each{|type| type.accessible = :all}
  yield
  types.each{|type| type.accessible = nil}
end

So your final controller code is

with_accessible(Employee, OtherClass, YetAnotherClass) do
  Company.create(params[:company])
end

Pretty expressive of what's going on for the case of all attributes

For the case of only certain attributes, I might modify it to the following

def with_accessible(*types, &block)
  types.flatten!
  return with_accessible_hash(types.first, &block) if types.first.is_a?(Hash)
  types.each{|type| type.accessible = :all}
  ret = yield
  types.each{|type| type.accessible = nil}
  ret
end

def with_accessible_hash(hash, &block)
  hash.each_pair do |klass, accessible|
    Object.const_get(klass).accessible = accessible
  end
  ret = yield
  hash.keys.each{|type| type.accessible = nil}
  ret
end

Which gives you

with_accessible(:Employee => [:a, :b, :c], :OtherClass => [:a, :b]) do
  Company.create(params[:company])
end