There's always merb-param-protection (http://github.com/wycats/merb/tree/master/merb-param-protection), but I don't think it's a perfect solution. I can imagine situations where you would want the params to come through, but not have them passed to your ORM.
Other than that, I'm not really aware of another solution. -Matt On Mon, Nov 24, 2008 at 11:56 AM, Alex <[EMAIL PROTECTED]> wrote: > > There was discussion a while back about adding a way to protect > properties from mass assignment, particularly useful when you do > something like User.new(params[:user]) in Merb. A spoofed form could > set anything in the object. Is there another way to protect against > this or has any change been made? It seems this is pretty critical to > write any kind of secure web app concisely. > > Old thread (which doesn't accept replies anymore). > > http://groups.google.com/group/datamapper/browse_thread/thread/176187c63890e172/a69e0b479f477b11 > > > > -- Matt Mayers [EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/datamapper?hl=en -~----------~----~----~----~------~----~------~--~---
