Crazy idea for a rails plugin, I might have been trippin'
Ruby
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
tasks
test
README
Rakefile
init.rb
install.rb
uninstall.rb

README

ProtectParams
=============

This is a simple rails plugin I hacked together, mainly to see if it was possible but sparked off by one very important thought.

I **love** the convenience of mass-assigning variables in rails.

  @user = User.create params[:user]

It just feels right, but obviously (as in the above example) we're exposing mass assignment of variables to the would-be hacker, which could be used for nefarious purposes.

The usual approach is with the attr_protected method of ActiveRecord.

  class Post < ActiveRecord::Base
    attr_protected :id, :created_at 
  end

For some reason it just never has sat the right way with me, so I chose to experiment with this plugin! If you hook up the model attributes that you want to protect with the **attr\_param\_protected** method.

  class Post < ActiveRecord::Base
    attr\_param\_protected :id, :type
    ...
  end
  
Then all we need to do is add the following line to our controller (it will work if you add it to ApplicationController). If you want to protect a number of models you can do that too.
  
  PostsController < ApplicationController
  
    protect\_params\_for :post
    # or protect\_params\_for :post, :user
    ...
  end

When a request comes in the attributes specified in your model will be stripped from the request parameters (they will show in your logs though!). If you want to join this mad science experiment, let me know how it goes! YMMV :)

  script/plugin install http://svn.davidjrice.co.uk/svn/projects/plugins/protect_params