New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new applications enforce whitelist mode for mass assignment #4062

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
6 participants
@lest
Copy link
Contributor

lest commented Dec 20, 2011

Previous issues #3453 and #3952, according to discussion it's ok to enable it in 4.0

@lest

This comment has been minimized.

Copy link
Contributor Author

lest commented Dec 20, 2011

@lest

This comment has been minimized.

Copy link
Contributor Author

lest commented Dec 21, 2011

@josevalim Could you give comments about it? Can it be in 4.0?

@josevalim

This comment has been minimized.

Copy link
Contributor

josevalim commented Dec 21, 2011

I have asked other Rails Core Teams for feedback. Let's wait. :) /cc @jeremy @dhh @fxn

@lest

This comment has been minimized.

Copy link
Contributor Author

lest commented Dec 21, 2011

Updated description to include both issues with discussion

@jeremy

This comment has been minimized.

Copy link
Member

jeremy commented Jan 2, 2012

Mixed feelings about this. +1 to secure-by-default, but geez, how did we end up here, having to list out accessible attributes for every model?

Seems like a lot of paperwork.

(If we do turn this on by default, the model generator should include attr_accessible too.)

@alexeymuranov

This comment has been minimized.

Copy link
Contributor

alexeymuranov commented Jan 2, 2012

How about #3157?

@alexeymuranov

This comment has been minimized.

Copy link
Contributor

alexeymuranov commented Feb 14, 2012

I think, during development i would like to not to have to whitelist all needed attributes. In fact, i plan to use mass assignment security only in subclasses, not in the base classes that inherit directly from ActiveRecord::Base.

@fxn

This comment has been minimized.

Copy link
Member

fxn commented Feb 14, 2012

Same feeling as @jeremy secure by default sounds good, but geez. Not sure I like this as a default. We have SQLite as default to be able to fire up an application quickly and try stuff. People can opt-in... not convinced.

@dhh

This comment has been minimized.

Copy link
Member

dhh commented Mar 1, 2012

Yeah, I don't like this idea either. -1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment