Trust only the params you indeed created inputs for (experimental/half-assed/untested solution to the not solved mass assignment problem).
What It Does
Whenever you generate form with
form_for helper it registers
all the inputs added to the form, encrypts this information and appends
it to the form itself.
So it's just like
allow_forgery_protection with it's
but for the given set of inputs.
Then when the form is submitted the set of trusted inputs/params is extracted and available like this:
Any input/param that wasn't in original form will be removed.
rails plugin install git://github.com/dolzenko/trusted_params.git
Really DRY, one-stop solution. Setup and forget about adding
attr_accessible in your models. After all if you added
that input to the form - that should be accessible.
Any param that's not added at the time of the request won't get through by default.
All AJAX/API calls would need to submit ugly
along with meaningful params.
To workaround this
trusted can be passed the list of
params trusted by default:
In such cases trusted params would be merged with
:body params when present.