You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In ActiveRecord, when attr_accessible is called with no args then attributes are filtered using an empty whitelist. MongoMapper is not consistent with this behavior:
class Foo
include MongoMapper::Document
attr_accessible
key :name, String
end
describe Foo do
# FAIL!
it "should not mass assign name in constructor" do
Foo.new(:name => "value").name.should_not == "value"
end
end
A workaround is to pass an attribute name that doesn't exist:
attr_accessible :no_attributes_accessible
The text was updated successfully, but these errors were encountered:
For the security of those of us who are developing with MongoMapper but are familiar with ActiveRecord, I think this issue either needs to be fixed (preferible) or a warning should be posted in the docs for attr_accessible. Thanks.
In ActiveRecord, when
attr_accessible
is called with no args then attributes are filtered using an empty whitelist. MongoMapper is not consistent with this behavior:A workaround is to pass an attribute name that doesn't exist:
The text was updated successfully, but these errors were encountered: