Matthew Rudy Jacobs wrote:> I was just thinking,
> what if someone accidentally leaves something dangerous in a blah>
method...
>
> could have some really bad consequences.
>
> Perhaps we''re better off defining all write-able attributes,
> rather than doing an "attr_protected" on all the ones we dont
want.
>
> http://rudyonrails.blogspot.com/2008/07/whoops-rails-security-flaw.html
>
> another reason I''m swaying toward Datamapper over ActiveRecord.
whoops...
Rails already allows this;
"""
attr_accessible(*attributes)
Specifies a white list of model attributes that can be set via
mass-assignment, such as new(attributes), update_attributes(attributes),
or attributes=(attributes)
This is the opposite of the attr_protected macro: Mass-assignment will
only set attributes in this list, to assign to the rest of attributes
you can use direct writer methods. This is meant to protect sensitive
attributes from being overwritten by malicious users tampering with URLs
or forms. If you‘d rather start from an all-open default and restrict
attributes as needed, have a look at attr_protected.
class Customer < ActiveRecord::Base
attr_accessible :name, :nickname
end
customer = Customer.new(:name => "David", :nickname =>
"Dave",
:credit_rating => "Excellent")
customer.credit_rating # => nil
customer.attributes = { :name => "Jolly fellow", :credit_rating
=>
"Superb" }
customer.credit_rating # => nil
customer.credit_rating = "Average"
customer.credit_rating # => "Average"
"""
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---