Previous issues #3453 and #3952, according to discussion it's ok to enable it in 4.0
new applications enforce whitelist mode for mass assignment
@josevalim Could you give comments about it? Can it be in 4.0?
I have asked other Rails Core Teams for feedback. Let's wait. :) /cc @jeremy @dhh @fxn
Updated description to include both issues with discussion
Mixed feelings about this. +1 to secure-by-default, but geez, how did we end up here, having to list out accessible attributes for every model?
Seems like a lot of paperwork.
(If we do turn this on by default, the model generator should include attr_accessible too.)
How about #3157?
I think, during development i would like to not to have to whitelist all needed attributes. In fact, i plan to use mass assignment security only in subclasses, not in the base classes that inherit directly from ActiveRecord::Base.
Same feeling as @jeremy secure by default sounds good, but geez. Not sure I like this as a default. We have SQLite as default to be able to fire up an application quickly and try stuff. People can opt-in... not convinced.
Yeah, I don't like this idea either. -1.