On Tue, May 26, 2009 at 10:30 PM, Matt Jones <[email protected]> wrote:
> One other thought - going back to the original example (admin user can > mass-assign fields that are normally protected), what about an extra > parameter to update_attributes (and possibly create)? ie: > > @model.update_attributes(params[:whatever], > [:stuff_non_admins_cant_change]) > > So essentially a, "no, really, you can mass-assign these attributes > just this once" parameter. That would still allow regular code to work > correctly while permitting the context-sensitive stuff you're looking > for. Certainly the Hash#except idiom requires you whitelist (or not-blacklist) sensitive data, because attr_(accessible|protected) are of course applied to whatever sanitized hash you pass. So in particular you can only narrow accessible aattributes (or extend protected attributes) Going the other way around sounds better to me, not sure about the API though. I think it requires the same amount of configuration and exceptions, but looks like a safer default. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
