-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Strong Params #27
Comments
Not actually an issue. Active Record has nothing to do with Strong Params. |
This is still a problem, here is an example class User < ::ActiveRecord::Base
end
UsersController < ::ApplicationController::Base
def update
@user = User.find(params[:id])
@user.update_attributes(params[:user]) # raises ActiveModel::ForbiddenAttributes because params have not been sanitized with strong params
end
end class User < ::ActiveRemote::Base
end
UsersController < ::ApplicationController::Base
def update
@user = User.find(params[:id])
@user.update_attributes(params[:user]) # does not raise an error, allows mass assignment vulnerability
end
end |
I think we need to include |
Tricky. I'll get something up soon. |
Closing this because the work on v3.0 (#36) covers it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Active Record now enforces attribute whitelisting through Strong Params, but ARem doesn't support it. It should.
The text was updated successfully, but these errors were encountered: