I'd like to see attr_protected stick around. There are times I'm working with models and I don't want to communicate the15 fields that can be written to but rather the two fields that can't.
Best. Mike On Jul 10, 2012, at 1:45 AM, Ryan Bigg <[email protected]> wrote: > For the record: I don't mention attr_protected at all in Rails 3 in Action > either. > > +1 to removing attr_protected. > On Tuesday, 10 July 2012 at 11:57 AM, Peter Brown wrote: > >> Just a guy with an opinion weighing in... I would love to see attr_protected >> removed. The official Rails Guide on security calls attr_accessible "A much >> better way", and I don't think Michael Hartl's popular Ruby on Rails >> Tutorial even mentions attr_protected. I think it gives people a false sense >> of security, especially in a large application where it's easy to forget to >> update it when new fields are added. >> >> - Pete >> >> On Monday, July 9, 2012 9:38:12 PM UTC-4, Prem Sichanugrist wrote: >>> >>> I personally think we should deprecate attr_protected, and go with >>> whitelisting only (attr_accessible + strong_parameters) route. I think >>> it make more sense from the security standpoint, and all the exploit >>> we have seen. >>> >>> Core teams, wdyt? >>> >>> - Prem >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/rubyonrails-core/-/bX4JiC2P5rMJ. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
