From a3c29b70a9ec6696e76ba5a6e5ef856d31b3a427 Mon Sep 17 00:00:00 2001
From: Francesco Rodriguez <lrodriguezsanc@gmail.com>
Date: Fri, 7 Dec 2012 19:31:14 -0500
Subject: use :only instead of :except callback option in the controller
 template

As [Security Guide](http://edgeguides.rubyonrails.org/security.html#whitelists-versus-blacklists)
says, it's better to use `before_filter only: []` instead of `except: []`
so we don't forget to turn the filter off for newly added actions.
---
 .../generators/rails/scaffold_controller/templates/controller.rb     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'railties')

diff --git a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
index 5fc4ab8f6c..24d97db407 100644
--- a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
+++ b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
@@ -4,8 +4,8 @@ require_dependency "<%= namespaced_file_path %>/application_controller"
 <% end -%>
 <% module_namespacing do -%>
 class <%= controller_class_name %>Controller < ApplicationController
-  before_action :set_<%= singular_table_name %>, except: [ :index, :new, :create ]
-  
+  before_action :set_<%= singular_table_name %>, only: [ :show, :edit, :update, :destroy ]
+
   # GET <%= route_url %>
   # GET <%= route_url %>.json
   def index
@@ -82,7 +82,6 @@ class <%= controller_class_name %>Controller < ApplicationController
     end
   end
 
-
   private
     # Use callbacks to share common setup or constraints between actions.
     def set_<%= singular_table_name %>
-- 
cgit v1.2.3