> Seems like this was not just a security vulnerability but intended and
> documented behavior.
It was poorly considered intended behaviour because of the problems
with :allow_destroy. That's not to say we can't come up with something
nicer, but the original patch isn't it
> What should be done here?
>
> 1. Existing objects must be saved with child_id = # not
> child_attributes = { :id => 3}
> 2. allow id in nested attributes but do not accept other attributes.
The problem with allowing id in the associations is how can we, a
framework, scope it sensibly? In some cases assigning any record is
fine. for example picking a category for a bug report, triggering
category.find is fine. The other side of the coin is something like
picking a bank account to assign a payment to. Unscoped finders there
would be a huge problem.
> Either way the docs should be updated. (And so must my API docs...)
For now the docs should probably just be updated, and if someone wants
to figure out a way to re-enable a sub-set of this functionality for
3.1, we can experiment and analyse here before we push any releases.
> Patch:
> http://rubyonrails-security.googlegroups.com/attach/e307ee2102f2e4be/3-0-nested_attributes.patch?view=1&part=4
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-core?hl=en.
>
>
--
Cheers
Koz
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
