"Best Practices: a strong case for attr_accessible part 2" by trevor
This is a followup of part 1 which you should read before continuing here.So… are the requirements satisfied? No.It’s possible for any user to delete a project that they don’t actually own. More...
View Article"Best Practices: a strong case for attr_accessible part 2": comment by David...
Whoa... scary. A patch to implicitly set collection attributes to attr_protected would cover a lot of the bases though...
View Article"Best Practices: a strong case for attr_accessible part 2": comment by Andrew...
darn... right idea, wrong way of fixing it maybe I'll upgrade myself to Rails Novice :)
View Article"Best Practices: a strong case for attr_accessible part 2": comment by tender
i think it´s actually a strong case for not being stupid. if you know that update_attributes works as intended (which it does) and you are working with sensitive data (which i take you do)and your app...
View Article"Best Practices: a strong case for attr_accessible part 2": comment by David...
You're wrong tender. Trevor's example was arbitrary, and certainly not a cover all. Being able to arbitrarily update an object's collection ids (or worse, its 'belongs_to') via update_attributes (which...
View Article"Best Practices: a strong case for attr_accessible part 2": comment by trevor
David - actually it's pretty cool that I stumped you given how much quality rails code I know you have under your belt. And it's also why I disagree with you. Something will come along in the future...
View Article"Best Practices: a strong case for attr_accessible part 2": comment by tender
david, i don´t really want to argue on right or wrong here.. since i don´t know how the rails people intended update_attributes to function. if they intended it to only work on "non collection" data...
View Article"Best Practices: a strong case for attr_accessible part 2": comment by trevor
tender - okay, so you don't use update_attributes. Do you use new(params[:user]) or model.attributes = params[:user] sort of thing?
View Article"Best Practices: a strong case for attr_accessible part 2": comment by tender
trevor, at the moment, no. and i think this thing is a non issue, really. i can imagine an application where arbitrary users can assign arbitrary projects to themselfs and then delete them. not an...
View Article"Best Practices: a strong case for attr_accessible part 2": comment by trevor
tender, that you don't do mass-assignment from request parameters explains a lot about your attitude here (otherwise I'd have to question whether you actually understood the code I presented). From...
View Article
