use :only instead of :except callback option in the controller template

As [Security Guide](http://edgeguides.rubyonrails.org/security.html#whitelists-versus-blacklists)
says, it's better to use `before_filter only: []` instead of `except: []`
so we don't forget to turn the filter off for newly added actions.

1 files changed, 2 insertions, 3 deletions

diff --git a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
index 5fc4ab8f6c..24d97db407 100644
--- a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
+++ b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
@@ -4,8 +4,8 @@ require_dependency "<%= namespaced_file_path %>/application_controller"
 <% end -%>
 <% module_namespacing do -%>
 class <%= controller_class_name %>Controller < ApplicationController
-  before_action :set_<%= singular_table_name %>, except: [ :index, :new, :create ]
-  
+  before_action :set_<%= singular_table_name %>, only: [ :show, :edit, :update, :destroy ]
+
   # GET <%= route_url %>
   # GET <%= route_url %>.json
   def index
@@ -82,7 +82,6 @@ class <%= controller_class_name %>Controller < ApplicationController
     end
   end
 
-
   private
     # Use callbacks to share common setup or constraints between actions.
     def set_<%= singular_table_name %>