updateAttributes with whitelists

[larzconwell]

This would make it safer to update attributes from arbitrary sources like request parameters without explicit removal of harmful attributes.

[mde]

Can you give us a better idea of what this would look like?

[larzconwell]

Here's how I am hackily doing it right now, just overwriting updateAttributes to filter out items

var User = function () {
  this.defineProperties({
    name: {type: 'string', required: true} // Should not be able to change
    homepage: {type: 'string'}
  });
};

User.whitelistParams = ['homepage'];

User = model.register('User', User);

User.prototype._updateAttributes = User.prototype.updateAttributes;
User.prototype.updateAttributes = function updateAttributes (attrs) {
  var safeAttrs = {};

  for (var a in attrs) {
    if (User.whitelistParams.indexOf(a) > -1) {
      safeAttrs[a] = attrs[a];
    }
  }

  return this._updateAttributes(safeAttrs);
};

If adding support in model itself, maybe User.whitelistParams could be changed to something else, like maybe an option for the property definitions.

this.defineProperties({
  name: {type: 'string', required: true}
  homepage: {type: 'string', whitelist: true} 
  // If a whitelist item is included in any of the property definitions, 
  // then enable whitelisting and only allow `whitelist: true` items 
  // to be updated
});