new applications enforce whitelist mode for mass assignment #4062

Closed
wants to merge 1 commit into
from

6 participants

@lest

Previous issues #3453 and #3952, according to discussion it's ok to enable it in 4.0

@lest

@josevalim Could you give comments about it? Can it be in 4.0?

@josevalim
Ruby on Rails member

I have asked other Rails Core Teams for feedback. Let's wait. :) /cc @jeremy @dhh @fxn

@lest

Updated description to include both issues with discussion

@jeremy
Ruby on Rails member

Mixed feelings about this. +1 to secure-by-default, but geez, how did we end up here, having to list out accessible attributes for every model?

Seems like a lot of paperwork.

(If we do turn this on by default, the model generator should include attr_accessible too.)

@alexeymuranov

How about #3157?

@alexeymuranov

I think, during development i would like to not to have to whitelist all needed attributes. In fact, i plan to use mass assignment security only in subclasses, not in the base classes that inherit directly from ActiveRecord::Base.

@fxn
Ruby on Rails member

Same feeling as @jeremy secure by default sounds good, but geez. Not sure I like this as a default. We have SQLite as default to be able to fire up an application quickly and try stuff. People can opt-in... not convinced.

@dhh
Ruby on Rails member
dhh commented Mar 1, 2012

Yeah, I don't like this idea either. -1.

@josevalim josevalim closed this Mar 1, 2012
@xordoquy xordoquy referenced this pull request in tomchristie/django-rest-framework Jan 5, 2015
Closed

Notes on migrating from DRF 2.4 to 3.0 #2375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment