new applications enforce whitelist mode for mass assignment #4062

wants to merge 1 commit into


None yet

6 participants


Previous issues #3453 and #3952, according to discussion it's ok to enable it in 4.0


@josevalim Could you give comments about it? Can it be in 4.0?

Ruby on Rails member

I have asked other Rails Core Teams for feedback. Let's wait. :) /cc @jeremy @dhh @fxn


Updated description to include both issues with discussion

Ruby on Rails member

Mixed feelings about this. +1 to secure-by-default, but geez, how did we end up here, having to list out accessible attributes for every model?

Seems like a lot of paperwork.

(If we do turn this on by default, the model generator should include attr_accessible too.)


How about #3157?


I think, during development i would like to not to have to whitelist all needed attributes. In fact, i plan to use mass assignment security only in subclasses, not in the base classes that inherit directly from ActiveRecord::Base.

Ruby on Rails member

Same feeling as @jeremy secure by default sounds good, but geez. Not sure I like this as a default. We have SQLite as default to be able to fire up an application quickly and try stuff. People can opt-in... not convinced.

Ruby on Rails member
dhh commented Mar 1, 2012

Yeah, I don't like this idea either. -1.

@josevalim josevalim closed this Mar 1, 2012
@xordoquy xordoquy referenced this pull request in tomchristie/django-rest-framework Jan 5, 2015

Notes on migrating from DRF 2.4 to 3.0 #2375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment