Ilya Katz
2013-Jan-07 16:43 UTC
Mass-assignment notification with whiltelist_attributes set to true
I just wanted to get everyone''s opinion on this before attempting a pull request. When mass-assignment is disallowed by default with config.active_record.whitelist_attributes = true Two things happen 1. A message is logged "WARNING: Can''t mass-assign protected attributes: blah" (which is the case even if whitelist_attributes is not set to true 2. Mass assignment is not allowed without explicite declaration but there is no error, the same application fails to save/update a model that produces some other error which isn''t easily apparent as to why it happened I found it useful for my development to make 2 changes 1. Update log message to be more explicit such as "WARNING: Can''t mass-assign *in SomeModel* protected attributes: blah" 2. Thrown an exception - this would only make sense if whitelist_attributes is set to true Any opinion if this would be a good suggestion for the rails feature request, specifically #2? Thanks -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/HrpdVBd65KkJ. For more options, visit https://groups.google.com/groups/opt_out.
Frederick Cheung
2013-Jan-07 22:11 UTC
Re: Mass-assignment notification with whiltelist_attributes set to true
On Jan 7, 5:43 pm, Ilya Katz <ilyak...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I found it useful for my development to make 2 changes > > 1. Update log message to be more explicit such as "WARNING: Can''t > mass-assign *in SomeModel* protected attributes: blah" > 2. Thrown an exception - this would only make sense if whitelist_attributes > is set to true > > Any opinion if this would be a good suggestion for the rails feature > request, specifically #2? >#2 already exists: config.active_record.mass_assignment_sanitizer = :strict will turn on exception raising. A better error message wouldn''t hurt though Fred> Thanks-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Ilya Katz
2013-Jan-08 14:49 UTC
Re: Mass-assignment notification with whiltelist_attributes set to true
Thanks Fred Looks like strict sanitizer option is only available in 3.2 (I''m on 3.1 for now). On Monday, January 7, 2013 11:43:13 AM UTC-5, Ilya Katz wrote:> > I just wanted to get everyone''s opinion on this before attempting a pull > request. > > When mass-assignment is disallowed by default with > > config.active_record.whitelist_attributes = true > > Two things happen > > 1. A message is logged "WARNING: Can''t mass-assign protected attributes: > blah" (which is the case even if whitelist_attributes is not set to true > 2. Mass assignment is not allowed without explicite declaration but there > is no error, the same application fails to save/update a model that > produces some other error which isn''t easily apparent as to why it happened > > I found it useful for my development to make 2 changes > > 1. Update log message to be more explicit such as "WARNING: Can''t > mass-assign *in SomeModel* protected attributes: blah" > 2. Thrown an exception - this would only make sense if > whitelist_attributes is set to true > > Any opinion if this would be a good suggestion for the rails feature > request, specifically #2? > > Thanks >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/6sIvbhKz4BUJ. For more options, visit https://groups.google.com/groups/opt_out.