diff options
| author | Vijay Dev <vijaydev.cse@gmail.com> | 2012-04-12 21:44:11 +0530 |
|---|---|---|
| committer | Vijay Dev <vijaydev.cse@gmail.com> | 2012-04-12 21:44:11 +0530 |
| commit | 8248f4202d67a781bd3da88fc9412bc7264bbb7b (patch) | |
| tree | 15af5b14ae2969780fb1ae74b097ab889e10ad86 /guides | |
| parent | 6cab7602bb53464f625968d233530f6982841629 (diff) | |
| parent | 05ac3921f85663416fe8a4287b05db3284276b24 (diff) | |
| download | rails-8248f4202d67a781bd3da88fc9412bc7264bbb7b.tar.gz rails-8248f4202d67a781bd3da88fc9412bc7264bbb7b.tar.bz2 rails-8248f4202d67a781bd3da88fc9412bc7264bbb7b.zip | |
Merge branch 'master' of github.com:lifo/docrails
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/source/3_2_release_notes.textile | 2 | ||||
| -rw-r--r-- | guides/source/security.textile | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/guides/source/3_2_release_notes.textile b/guides/source/3_2_release_notes.textile index 0f8fea2bf6..3524ea6595 100644 --- a/guides/source/3_2_release_notes.textile +++ b/guides/source/3_2_release_notes.textile @@ -299,7 +299,7 @@ end h5(#actionview_deprecations). Deprecations -* Passing formats or handlers to render :template and friends like <tt>render :template => "foo.html.erb"</tt> is deprecated. Instead, you can provide :handlers and :formats directly as an options: <tt> render :template => "foo", :formats => [:html, :js], :handlers => :erb</tt>. +* Passing formats or handlers to render :template and friends like <tt>render :template => "foo.html.erb"</tt> is deprecated. Instead, you can provide :handlers and :formats directly as options: <tt> render :template => "foo", :formats => [:html, :js], :handlers => :erb</tt>. h4. Sprockets diff --git a/guides/source/security.textile b/guides/source/security.textile index 747a4d6791..c065529cac 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -385,7 +385,7 @@ params[:user] # => {:name => “ow3ned”, :admin => true} So if you create a new user using mass-assignment, it may be too easy to become an administrator. -Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the <tt>attributes=</tt> method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3<plus>. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example: +Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the <tt>attributes=</tt> method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example: <ruby> class Person < ActiveRecord::Base |