diff options
| author | Xavier Noria <fxn@hashref.com> | 2010-08-12 17:36:09 +0200 |
|---|---|---|
| committer | Xavier Noria <fxn@hashref.com> | 2010-08-12 17:36:09 +0200 |
| commit | 4134d7db34506887f5cb945bb4e51c53c5f67ec3 (patch) | |
| tree | 161991a34115f2ecd41725ab65af0895b93489ed /railties/guides/source | |
| parent | e4943e93c2571cba8630eec2e77000300947866b (diff) | |
| parent | 8af2186d26c77f6fcb0787f50941ebe1a2905c5f (diff) | |
| download | rails-4134d7db34506887f5cb945bb4e51c53c5f67ec3.tar.gz rails-4134d7db34506887f5cb945bb4e51c53c5f67ec3.tar.bz2 rails-4134d7db34506887f5cb945bb4e51c53c5f67ec3.zip | |
Merge remote branch 'docrails/master'
Diffstat (limited to 'railties/guides/source')
| -rw-r--r-- | railties/guides/source/association_basics.textile | 2 | ||||
| -rw-r--r-- | railties/guides/source/security.textile | 10 |
2 files changed, 6 insertions, 6 deletions
diff --git a/railties/guides/source/association_basics.textile b/railties/guides/source/association_basics.textile index b1ee4b8be4..fd1e7f4baf 100644 --- a/railties/guides/source/association_basics.textile +++ b/railties/guides/source/association_basics.textile @@ -550,7 +550,7 @@ build_customer create_customer </ruby> -h6. _association_(force_reload = false) +h6. <em>association</em>(force_reload = false) The <tt><em>association</em></tt> method returns the associated object, if any. If no associated object is found, it returns +nil+. diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 8ce0001080..6372c606b7 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -371,7 +371,7 @@ The mass-assignment feature may become a problem, as it allows an attacker to se <ruby> def signup - params[:user] #=> {:name => “ow3ned”, :admin => true} + params[:user] # => {:name => “ow3ned”, :admin => true} @user = User.new(params[:user]) end </ruby> @@ -385,7 +385,7 @@ Mass-assignment saves you much work, because you don't have to set each value in This will set the following parameters in the controller: <ruby> -params[:user] #=> {:name => “ow3ned”, :admin => true} +params[:user] # => {:name => “ow3ned”, :admin => true} </ruby> So if you create a new user using mass-assignment, it may be too easy to become an administrator. @@ -423,11 +423,11 @@ attr_accessible :name If you want to set a protected attribute, you will to have to assign it individually: <ruby> -params[:user] #=> {:name => "ow3ned", :admin => true} +params[:user] # => {:name => "ow3ned", :admin => true} @user = User.new(params[:user]) -@user.admin #=> false # not mass-assigned +@user.admin # => false # not mass-assigned @user.admin = true -@user.admin #=> true +@user.admin # => true </ruby> A more paranoid technique to protect your whole project would be to enforce that all models whitelist their accessible attributes. This can be easily achieved with a very simple initializer: |