Consider re-implementing ProtectedAttributeAssignmentError - Ruby on Rails: Core

Message from discussion Consider re-implementing ProtectedAttributeAssignmentEr ror
MIME-Version: 1.0
Date: Fri, 1 Aug 2008 06:02:42 -0700 (PDT)
In-Reply-To: <328dea06-d844-4f92-8672-5e2ba2a4c486@f36g2000hsa.googlegroups.com>
References: <328dea06-d844-4f92-8672-5e2ba2a4c486@f36g2000hsa.googlegroups.com>
User-Agent: G2/1.0
Message-ID: <91246527-2e05-4875-aef6-699ed818b40f@r66g2000hsg.googlegroups.com>
Subject: Re: Consider re-implementing ProtectedAttributeAssignmentError
From: Chris Cruft <c...@hapgoods.com>
To: "Ruby on Rails: Core" <rubyonrails-core@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I like the idea of assignment to a protected attribute being an
exception.  I kinda grok the link to ARes, but it seems that the
change in AR is overly "practical" and doesn't pass the sniff test:
assigning to a protected attribute looks like an exception, it can be
severe (security-wise) and it used to be an exception.

On Jul 31, 12:12=A0pm, Trevor Turk <trevort...@gmail.com> wrote:
> A gotcha that has bitten me quite a few times - when you try to mass-
> assign a protected attribute, it fails "silently" (but appears in the
> debug log). There is some useful discussion about this subject here:
>
> http://dev.rubyonrails.org/ticket/9966
>
> But I thought this worth bringing up after seeing this commit:
>
> http://github.com/rails/rails/commit/108db00aa90fe266564483ab301cf066...
>
> Perhaps this protected attribute assignment error is worth revisiting
> with the addition of the extremely handy rescue_from additions that
> have made their way into core?
>
> http://github.com/rails/rails/commit/90c930f45c5c6766306929241462ffff...
>
> Of course, I'm getting better about remembering to add attributes via
> attr_accessible after being bitten by this one a few times, but
> perhaps others have been confounded by this gotcha as well?
>
> Thanks,