aboutsummaryrefslogtreecommitdiffstats
path: root/railties/guides/source
diff options
context:
space:
mode:
authorXavier Noria <fxn@hashref.com>2010-08-12 17:36:09 +0200
committerXavier Noria <fxn@hashref.com>2010-08-12 17:36:09 +0200
commit4134d7db34506887f5cb945bb4e51c53c5f67ec3 (patch)
tree161991a34115f2ecd41725ab65af0895b93489ed /railties/guides/source
parente4943e93c2571cba8630eec2e77000300947866b (diff)
parent8af2186d26c77f6fcb0787f50941ebe1a2905c5f (diff)
downloadrails-4134d7db34506887f5cb945bb4e51c53c5f67ec3.tar.gz
rails-4134d7db34506887f5cb945bb4e51c53c5f67ec3.tar.bz2
rails-4134d7db34506887f5cb945bb4e51c53c5f67ec3.zip
Merge remote branch 'docrails/master'
Diffstat (limited to 'railties/guides/source')
-rw-r--r--railties/guides/source/association_basics.textile2
-rw-r--r--railties/guides/source/security.textile10
2 files changed, 6 insertions, 6 deletions
diff --git a/railties/guides/source/association_basics.textile b/railties/guides/source/association_basics.textile
index b1ee4b8be4..fd1e7f4baf 100644
--- a/railties/guides/source/association_basics.textile
+++ b/railties/guides/source/association_basics.textile
@@ -550,7 +550,7 @@ build_customer
create_customer
</ruby>
-h6. _association_(force_reload = false)
+h6. <em>association</em>(force_reload = false)
The <tt><em>association</em></tt> method returns the associated object, if any. If no associated object is found, it returns +nil+.
diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile
index 8ce0001080..6372c606b7 100644
--- a/railties/guides/source/security.textile
+++ b/railties/guides/source/security.textile
@@ -371,7 +371,7 @@ The mass-assignment feature may become a problem, as it allows an attacker to se
<ruby>
def signup
- params[:user] #=> {:name => “ow3ned”, :admin => true}
+ params[:user] # => {:name => “ow3ned”, :admin => true}
@user = User.new(params[:user])
end
</ruby>
@@ -385,7 +385,7 @@ Mass-assignment saves you much work, because you don't have to set each value in
This will set the following parameters in the controller:
<ruby>
-params[:user] #=> {:name => “ow3ned”, :admin => true}
+params[:user] # => {:name => “ow3ned”, :admin => true}
</ruby>
So if you create a new user using mass-assignment, it may be too easy to become an administrator.
@@ -423,11 +423,11 @@ attr_accessible :name
If you want to set a protected attribute, you will to have to assign it individually:
<ruby>
-params[:user] #=> {:name => "ow3ned", :admin => true}
+params[:user] # => {:name => "ow3ned", :admin => true}
@user = User.new(params[:user])
-@user.admin #=> false # not mass-assigned
+@user.admin # => false # not mass-assigned
@user.admin = true
-@user.admin #=> true
+@user.admin # => true
</ruby>
A more paranoid technique to protect your whole project would be to enforce that all models whitelist their accessible attributes. This can be easily achieved with a very simple initializer: