Just a guy with an opinion weighing in... I would love to see attr_protected removed. The official Rails Guide on security<http://guides.rubyonrails.org/security.html#countermeasures> calls attr_accessible "A much better way", and I don't think Michael Hartl's popular Ruby on Rails Tutorial <http://ruby.railstutorial.org/> even mentions attr_protected. I think it gives people a false sense of security, especially in a large application where it's easy to forget to update it when new fields are added.
- Pete On Monday, July 9, 2012 9:38:12 PM UTC-4, Prem Sichanugrist wrote: > > I personally think we should deprecate attr_protected, and go with > whitelisting only (attr_accessible + strong_parameters) route. I think > it make more sense from the security standpoint, and all the exploit > we have seen. > > Core teams, wdyt? > > - Prem > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/bX4JiC2P5rMJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
