Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
Ruby on Rails: Core
Home
+ new post
About this group
Join this group
Message from discussion Consider re-implementing ProtectedAttributeAssignmentEr ror
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Michael Koziarski  
View profile  
 More options Aug 4 2008, 9:08 am
From: "Michael Koziarski" <mich...@koziarski.com>
Date: Mon, 4 Aug 2008 15:08:36 +0200
Local: Mon, Aug 4 2008 9:08 am
Subject: Re: [Rails-core] Consider re-implementing ProtectedAttributeAssignmentError
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author

On Thu, Jul 31, 2008 at 6:12 PM, Trevor Turk <trevort...@gmail.com> wrote:

> A gotcha that has bitten me quite a few times - when you try to mass-
> assign a protected attribute, it fails "silently" (but appears in the
> debug log). There is some useful discussion about this subject here:

> http://dev.rubyonrails.org/ticket/9966

> But I thought this worth bringing up after seeing this commit:

> http://github.com/rails/rails/commit/108db00aa90fe266564483ab301cf066...

> Perhaps this protected attribute assignment error is worth revisiting
> with the addition of the extremely handy rescue_from additions that
> have made their way into core?

> http://github.com/rails/rails/commit/90c930f45c5c6766306929241462ffff...

> Of course, I'm getting better about remembering to add attributes via
> attr_accessible after being bitten by this one a few times, but
> perhaps others have been confounded by this gotcha as well?

The silent dropping of values bugs me, but in this case I think the
cure is worse than the disease.  When we had it enabled previously all
of my exception trackers were spammed with dozens of random junk
coming from adventurous users or broken spam bots.

The current behaviour doesn't have any security related downsides, and
it's just being slightly postel-friendly in the way it behaves.

We could add a hook to make it easier for plugins to handle this
situation, but at present I think it's just a little too annoying for
enabling it by default.

--
Cheers

Koz


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google