Hi, I was wondering about transparently permitting parameters submitted through a (signed) form. I assume many people have already had this idea, so maybe there are some caveats which make it a no-go?
The idea of moving mass-assignment protection from the M to the VC is great, but the duplication in the views and controllers bothers me. The form rendered with a FormBuilder already has all the information, which fields are permitted. So why not include a hidden input with the field names (and a secure checksum) as part of the form submission? There probably needs to be a lower-level API to declare a field as permitted without rendering it (so that the form can be manipulated on client side with JS), or maybe even conditionally modify the field list in the controller, and probably a million other tweaks, but the simplest solution should work for most cases. Some controllers handling form-less requests (e.g. API requests) would of course still need to explicitly whitelist their params. I'd like to work on it if you guys think that's a good idea. -- Regards, Olek Janiszewski -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/sCVxeJ9DFnkJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
