From e1dbcdcacf62d13914c9e7ec71f0f7319ad32b4a Mon Sep 17 00:00:00 2001 From: Vijay Dev Date: Wed, 1 Feb 2012 22:22:51 +0530 Subject: fixes the plus sign properly [ci skip] --- railties/guides/source/security.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 360af6c986..b1a09c0c05 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -385,7 +385,7 @@ params[:user] # => {:name => “ow3ned”, :admin => true} So if you create a new user using mass-assignment, it may be too easy to become an administrator. -Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the attributes= method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3==+==. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example: +Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the attributes= method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example: class Person < ActiveRecord::Base -- cgit v1.2.3