How I can set 'attr_accessible' in order to NOT allow access to ANY of the fields FOR a model using Ruby on Rails?
If in a model file I have just this code:
class Users < ActiveRecord::Base
end
what this means? All attributes related to the model are acce
-
I prefer to be more explicit in the denial for one model:
class Users < ActiveRecord::Base attr_accessible nil endThe result is the same as
attr_accessiblewith no params, but makes your intent more clear. This will reduce the likelihood that a future programmer (e.g. yourself!) will delete the line...or start adding fields to attr_accessible.This appeases Brakeman and other vulnerability-sniffing tools.
讨论(0) -
Beginning with Rails 3.1, the following configuration option is available to disable mass-assignment by default for all models until you explicitly call attr_accessible or attr_protected:
config.active_record.whitelist_attributes = trueSee http://edgeguides.rubyonrails.org/security.html#mass-assignment and https://github.com/rails/rails/commit/f3b9d3aba8cc0ffaca2da1c73c4ba96de2066760
讨论(0) -
By default the attributes are all attr_accessible (which means they can be set my mass-assignment).
- attr_accessible - only this list of attributes can be set by mass-assignment (white-listing).
- attr_protected - these attributes cannot be set by mass-assignment (black-listing).
- attr_readonly - these attributes cannot be set except for when the record is created.
To disable mass-assignment entirely, use something like this:
ActiveRecord::Base.send(:attr_accessible, nil)
This command will disable mass-assignment for all active record objects, but you can specify one or more models to perform this command on if you want mass-assignment in some cases but not in others.
讨论(0) -
Just set:
class Users < ActiveRecord::Base attr_accessible #none endLike Pan Thomakos said (attr_accessible is the array of parameters that can be mass-ret. So if you send in no symbols, then no parameters will be accessible.
This ticket was useful
讨论(0)
加载中...
- 热议问题