Would be nice to allow redefinition of accessible_attributes via self.accessible_attributes in models.
The problem with attr_accessible is that it is cumulative/additive, but it could be interpreted by the developer as redefinition, and that could lead to nasty security issues. I think that attr_accessible and attr_protected should go the way of set_primary_key and set_table_name (which both got deprecated and changed to self.primary_key= and self.table_name=), such that self.accessible_attributes could be manipulated in a more well-defined way. The following would be equivalent to attr_accessible :name, :status: self.accessible_attributes[:default] += :name, :status The following would be equivalent to attr_protected :name, :status: self.accessible_attributes[:default] -= :name, :status The following would be redefining the whitelist, similar to what can be done with self._accessible_attributes[:default] = :name, :status currently (even if you shouldn't be messing with internals): self.accessible_attributes[:default] = :name, :status It's too bad that += can't be defined on the self.accessible_attributes Hash instance, because it would be nice not to have to specify the role if it is :default. I know mass assignment security is somewhat being taken off of the stove with strong_parameters being integrated, but it's still there. What do you think? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/6U8t-gV5O4oJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
