On 27 February 2011 04:05, radhames brito <[email protected]> wrote: > it can be done like this > http://railscasts.com/episodes/237-dynamic-attr-accessible
I'm viewing http://asciicasts.com/episodes/26-hackers-love-mass-assignment. It says that an hacker can do curl -d "user[name]=hacker&user[admin]=1" http://localhost:3000/Users/ and create an admin user. Ok, wtih attr_accessible he can't do that but..........if he can't create an admin user he always can create a user, not an admin user but a user. That is he can insert values in my database. I can't use attr_accessible for all my model attributes. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
