Hacker News new | ask | show | jobs
by bryanlarsen 5003 days ago
He just linked to an article that explains how to do it safely.

update to reply because of downvotes:

1) butterfly knives are very useful tools

2) mass assignment can be used safely out of the box in rails post v3.2.3. To use it, you have to explicitly add parameters to the whitelist or disable the whitelist. The article is there to explain why disabling the whitelist is a bad idea.
1 comments
jcromartie 5003 days ago
Sure, just like butterfly knives are safe because you can find some safety tips online.

Edit to reply to edits: Mass assignment is still dangerous "out of the box" since you have to switch on the whitelist behavior by calling attr_accessible on your model classes. In the security guide, the older, more dangerous, attr_protected is introduced first.

I think every rails dev should be familiar with the security guide, but more than that I wish that security was the default. While anybody is free to make an app as insecure as they wish, it should be the exception rather than the default.

link
bryanlarsen 5003 days ago
You're talking about the old behaviour. New rails apps have config.active_record.whitelist_attributes set. That means that models without attr_acessible statements will throw an error if mass-assignment is attempted. IOW, they've done exactly what you asked for. They should have done it years ago, but they did the right thing after it blew up in their face.
link