Sometimes you have a table with a bunch of regular data and one single FK
to protect. I don't think forcing users to whitelist that model is a good
idea.
I prefer Rails to provide both options (three if you count declaring
nothing) and leave the judgement of what's appropriate in every situation
I'd like to see attr_protected stick around. There are times I'm working with
models and I don't want to communicate the15 fields that can be written to but
rather the two fields that can't.
Best.
Mike
On Jul 10, 2012, at 1:45 AM, Ryan Bigg radarliste...@gmail.com wrote:
For the record: I
Yeah, Jay. Your solution won't work with inheritance.
By deprecating the attr_protected, you can allow most of the attributes anyway
(but seriously seriously seriously discouraged) by do something like:
attr_accessible columns - [:created_at, :updated_at]
Having attr_accessible and
Prem,
What's the conflict with inheritance?
Cheers,
Jay
On Tue, Jul 10, 2012 at 12:29 PM, Prem Sichanugrist sikand...@gmail.comwrote:
Yeah, Jay. Your solution won't work with inheritance.
By deprecating the attr_protected, you can allow most of the attributes
anyway (but seriously
On Jul 10, 2012, at 12:29 PM, Prem Sichanugrist wrote:
Yeah, Jay. Your solution won't work with inheritance.
By deprecating the attr_protected, you can allow most of the attributes
anyway (but seriously seriously seriously discouraged) by do something like:
attr_accessible columns -
(I posted this as a bug in GitHub
(https://github.com/rails/rails/issues/7018), but then someone there told
me I should post it here, so here it is.)
If you set attr_accessible on some properties in an ActiveRecord-descended
class, and then attr_protected on others - the class becomes
I personally think we should deprecate attr_protected, and go with
whitelisting only (attr_accessible + strong_parameters) route. I think
it make more sense from the security standpoint, and all the exploit
we have seen.
Core teams, wdyt?
- Prem
--
You received this message because you are
Just a guy with an opinion weighing in... I would love to see
attr_protected removed. The official Rails Guide on
securityhttp://guides.rubyonrails.org/security.html#countermeasures calls
attr_accessible A much better way, and I don't think Michael Hartl's
popular Ruby on Rails Tutorial
For the record: I don't mention attr_protected at all in Rails 3 in Action
either.
+1 to removing attr_protected.
On Tuesday, 10 July 2012 at 11:57 AM, Peter Brown wrote:
Just a guy with an opinion weighing in... I would love to see attr_protected
removed. The official Rails Guide on
