|
|
|
|
|
|
by mhartl
5251 days ago
|
|
|
Teaching good security practices was one goal of the Ruby on Rails Tutorial (a resource mentioned in the OP). It uses attr_accessible for every model and uses find-through-association (emphasizing the security implications of both), and it most assuredly does not use the /:controller/:action/:id pattern or backticks. It punts image upload over to Gravatar, and recommends Paperclip for those who need custom uploads. Having a PreauthController definitely sounds like a good idea, but it might be a bit obscure for beginning developers. I'll consider it for inclusion as an exercise in one of the chapters covering authorization, or maybe I'll include it in more advanced Rails Tutorial material down the road. Thanks for the tip. |
|
|
I've found a lot of Rails apps over the last couple years that were diligent about having an attr_accessible in every model, but not diligent about what went in the attr_accessible. Following the Rails idiom, they were doing all their attribute assignment through update-style params[:model] model[foo] model[bar] stuff, and attr_accessible "breaks" that.
The Rails tutorial is good (and ambitious) --- just know, this stuff trips up solid, experienced Rails developers all the time.