Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attr_accessible with no args not effective #343

Closed
balexand opened this issue Nov 6, 2011 · 2 comments
Closed

attr_accessible with no args not effective #343

balexand opened this issue Nov 6, 2011 · 2 comments

Comments

@balexand
Copy link
Contributor

balexand commented Nov 6, 2011

In ActiveRecord, when attr_accessible is called with no args then attributes are filtered using an empty whitelist. MongoMapper is not consistent with this behavior:

class Foo
  include MongoMapper::Document
  attr_accessible

  key :name, String
end

describe Foo do
  # FAIL!
  it "should not mass assign name in constructor" do
    Foo.new(:name => "value").name.should_not == "value"
  end
end

A workaround is to pass an attribute name that doesn't exist:

attr_accessible :no_attributes_accessible
@balexand
Copy link
Contributor Author

balexand commented Nov 6, 2011

For the security of those of us who are developing with MongoMapper but are familiar with ActiveRecord, I think this issue either needs to be fixed (preferible) or a warning should be posted in the docs for attr_accessible. Thanks.

@balexand
Copy link
Contributor Author

balexand commented Nov 7, 2011

Thanks. I really appreciate your hard work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bkeepers @balexand