Hi guys, why ActionController::Parameters does not come with a #deny method along with #permit ? I deal frequently into situations in which i would prevent malicious assignments of one or two attributes while the other should be all " permitted". So this: current_user.invoices.create! params.require(:invoice).deny(:user_id) would be quicker than: current_user.invoices.create! params.require(:invoice).permit(:name, :address, :email, ... ) But unless i''m missing something there is no way to ''blacklist'' parameters, is there a particular reason for that? Maurizio -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Presumably it''s because blacklisting has been proven to be less secure than whitelisting. That''s also why in Rails 3, attr_accessible is considered safer than attr_protected. In other words, if you were to add a new attr a month after writing the controller, it''s more secure to default that new attr to not being permitted than to default it to being permitted. Whitelisting achieves this. Brian On Saturday, June 1, 2013 2:43:04 PM UTC-7, mcasimir wrote: Hi guys,> why ActionController::Parameters does not come with a #deny method along > with #permit ? > > I deal frequently into situations in which i would prevent malicious > assignments of one or two attributes while the other should be all " > permitted". > > So this: > > current_user.invoices.create! params.require(:invoice).deny(:user_id) > > would be quicker than: > > current_user.invoices.create! params.require(:invoice).permit(:name, > :address, :email, ... ) > > But unless i''m missing something there is no way to ''blacklist'' > parameters, is there a particular reason for that? > > > Maurizio > > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
If you really must, you could e.g. define a method on invoice along the lines of (untested) def self.permitted_params attribute_names - ["user_id"] end and then do permit(*Invoice.permitted_params) But like Brian said, whitelisting is more secure. On Saturday, June 1, 2013 11:43:04 PM UTC+2, mcasimir wrote:> > Hi guys, > why ActionController::Parameters does not come with a #deny method along > with #permit ? > > I deal frequently into situations in which i would prevent malicious > assignments of one or two attributes while the other should be all " > permitted". > > So this: > > current_user.invoices.create! params.require(:invoice).deny(:user_id) > > would be quicker than: > > current_user.invoices.create! params.require(:invoice).permit(:name, > :address, :email, ... ) > > But unless i''m missing something there is no way to ''blacklist'' > parameters, is there a particular reason for that? > > > Maurizio > > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.