diff options
| author | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-04-24 00:54:48 +0200 |
|---|---|---|
| committer | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-04-24 09:58:12 +0200 |
| commit | f3b9d3aba8cc0ffaca2da1c73c4ba96de2066760 (patch) | |
| tree | d86a4e2e8829d54b5ce53d5965e6433806b72064 /railties/guides/source/security.textile | |
| parent | b3ba36830b7c8154cbe11a3fe4a2b2574b228819 (diff) | |
| download | rails-f3b9d3aba8cc0ffaca2da1c73c4ba96de2066760.tar.gz rails-f3b9d3aba8cc0ffaca2da1c73c4ba96de2066760.tar.bz2 rails-f3b9d3aba8cc0ffaca2da1c73c4ba96de2066760.zip | |
added config.active_record.whitelist_attributes which creates an empty whitelist of attributes available for mass assignment for all models in your app
Diffstat (limited to 'railties/guides/source/security.textile')
| -rw-r--r-- | railties/guides/source/security.textile | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index bf4f11f6b4..f87ffdb20d 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -459,13 +459,13 @@ When assigning attributes in Active Record using +new+, +attributes=+, or +updat @user.is_admin # => true </ruby> -A more paranoid technique to protect your whole project would be to enforce that all models whitelist their accessible attributes. This can be easily achieved with a very simple initializer: +A more paranoid technique to protect your whole project would be to enforce that all models define their accessible attributes. This can be easily achieved with a very simple application config option of: <ruby> -ActiveRecord::Base.send(:attr_accessible, nil) +config.active_record.whitelist_attributes = true </ruby> -This will create an empty whitelist of attributes available for mass assignment for all models in your app. As such, your models will need to explicitly whitelist accessible parameters by using an +attr_accessible+ declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to insert this initializer, run your tests, and expose each attribute (via +attr_accessible+) as dictated by your failing tests. +This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via +attr_accessible+ or +attr_protected+) as dictated by your failing tests. h3. User Management |