That doesn't appear to address this issue. Based on the description, it only addresses visibility issues.
If my user object has a status property, I don't want someone submitting status => "APPROVED" when they are not approved. That is attribute that should not be "mass assigned". The alternative is to check for the property outside the model every time I get an insecure hash. On Nov 25, 1:00 am, "Matt Mayers" <[EMAIL PROTECTED]> wrote: > There's always merb-param-protection > (http://github.com/wycats/merb/tree/master/merb-param-protection), but > I don't think it's a perfect solution. I can imagine situations where > you would want the params to come through, but not have them passed to > your ORM. > > Other than that, I'm not really aware of another solution. > > -Matt > > On Mon, Nov 24, 2008 at 11:56 AM, Alex <[EMAIL PROTECTED]> wrote: > > > There was discussion a while back about adding a way to protect > > properties from mass assignment, particularly useful when you do > > something like User.new(params[:user]) in Merb. A spoofed form could > > set anything in the object. Is there another way to protect against > > this or has any change been made? It seems this is pretty critical to > > write any kind of secure web app concisely. > > > Old thread (which doesn't accept replies anymore). > > >http://groups.google.com/group/datamapper/browse_thread/thread/176187... > > -- > Matt Mayers > [EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/datamapper?hl=en -~----------~----~----~----~------~----~------~--~---
