>
> Mr. Cheung,
> Thank you so much for your reply and hopefully this will help others
> using 'restful_authentication'. This line is automatically inserted
> into the USER model;
>
> attr_accessible :login, :email, :password, :password_confirmation
>
> If anyone is trying to embellish their user model with the ability for
> the user to EDIT or run a migration to load records, they will receive
> this message.
>
> Can't mass-assign these protected attributes: field1, field2, etc
>
> Would you just remove this line altogether?
> Thank you,
> Kathleen
>
The attr_accessible is there for a reason, to protect the application from malicious inputs.
You might want to watch:
http://railscasts.com/episodes/26
Before you remove it all together. To summarize: Without attr_accessible there, a knowledgeable user can give themselves ownership of user resources or admin privileges.
You might want to instead add the appropriate properties to the attr_accessible.
Regards,
Jon
Generally, you should not be building records in your migrations. What
are you trying to do here?
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org
I have found a solution to this problem!!!! (solution is geared for the
newest version of rails etc, as of mid May 2012)
If you are simply doing early stage development stuff, you do not need
the extra feature which blocks mass assignment. The thing is, github was
hacked by some dude (whitehat or black I'm not sure) but anyway, the
hacker basically did it by changing the code a little bit in order to
pass some values (boolean values indicating he was an admin or
something) that weren't meant to be passed.
ANYWAY, Here's how I fixed mine (bear in mind this is a security hole
but you can deal with it later, to be honest. Nobody wants to hack me
that's for damned sure, at least not yet)------ - Go to
/config/application.rb - Scroll down towards the end where you'll find
{config.active_record.whitelist_attributes = true) - Set it to false
(this is like turning off a firewall I guess)
That's it! This is the simple solution for early coding. You'll have to
deal with this later as it is a pretty glaring security hole. But for
now, just shut the damn thing off. Ruby is great and all, but coding is
hard enough as it is. Good luck!
Oh yeah, in order to activate the changes (just to make sure
essentially), I did a {rake db:migrate VERSION=0} to reset everything.
Then a simple {rake db:migrate} to set make sure the new changes were in
place. I'm not sure if this is entirely necessary but it won't do any
harm as long as your migration files are in good shape.
partial credit goes to railscasts.com for this one, but not entirely. I
didn't expect this to work.
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonra...@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-ta...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.