Hi Alex, Although I'm totally aware that this isn't exactly what you are looking for (it's no replacement for protecting mass assignment), it might help you in doing exaxtly that.
http://github.com/snusnu/dm-is-protectable/tree/master If anyone finds this useful or encounters any problems, I'm very willing to discuss things, fix bugs, etc ... cheers snusnu On Mon, Nov 24, 2008 at 6:07 PM, Alex Neth <[EMAIL PROTECTED]> wrote: > > That doesn't appear to address this issue. Based on the description, > it only addresses visibility issues. > > If my user object has a status property, I don't want someone > submitting status => "APPROVED" when they are not approved. That is > attribute that should not be "mass assigned". The alternative is to > check for the property outside the model every time I get an insecure > hash. > > > > On Nov 25, 1:00 am, "Matt Mayers" <[EMAIL PROTECTED]> wrote: >> There's always merb-param-protection >> (http://github.com/wycats/merb/tree/master/merb-param-protection), but >> I don't think it's a perfect solution. I can imagine situations where >> you would want the params to come through, but not have them passed to >> your ORM. >> >> Other than that, I'm not really aware of another solution. >> >> -Matt >> >> On Mon, Nov 24, 2008 at 11:56 AM, Alex <[EMAIL PROTECTED]> wrote: >> >> > There was discussion a while back about adding a way to protect >> > properties from mass assignment, particularly useful when you do >> > something like User.new(params[:user]) in Merb. A spoofed form could >> > set anything in the object. Is there another way to protect against >> > this or has any change been made? It seems this is pretty critical to >> > write any kind of secure web app concisely. >> >> > Old thread (which doesn't accept replies anymore). >> >> >http://groups.google.com/group/datamapper/browse_thread/thread/176187... >> >> -- >> Matt Mayers >> [EMAIL PROTECTED] > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/datamapper?hl=en -~----------~----~----~----~------~----~------~--~---
