For the record: I don't mention attr_protected at all in Rails 3 in Action either.
+1 to removing attr_protected. On Tuesday, 10 July 2012 at 11:57 AM, Peter Brown wrote: > Just a guy with an opinion weighing in... I would love to see attr_protected > removed. The official Rails Guide on security > (http://guides.rubyonrails.org/security.html#countermeasures) calls > attr_accessible "A much better way", and I don't think Michael Hartl's > popular Ruby on Rails Tutorial (http://ruby.railstutorial.org/) even mentions > attr_protected. I think it gives people a false sense of security, especially > in a large application where it's easy to forget to update it when new fields > are added. > > - Pete > > On Monday, July 9, 2012 9:38:12 PM UTC-4, Prem Sichanugrist wrote: > > I personally think we should deprecate attr_protected, and go with > > whitelisting only (attr_accessible + strong_parameters) route. I think > > it make more sense from the security standpoint, and all the exploit > > we have seen. > > > > Core teams, wdyt? > > > > - Prem > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-core/-/bX4JiC2P5rMJ. > To post to this group, send email to [email protected] > (mailto:[email protected]). > To unsubscribe from this group, send email to > [email protected] > (mailto:[email protected]). > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
