Automatically permit params submitted via a FormBuilder'd form
46 views
Skip to first unread message
Olek Janiszewski
Jan 17, 2013, 7:03:06 AM1/17/13
to rubyonra...@googlegroups.com
Hi,
I was wondering about transparently permitting parameters submitted through a (signed) form. I assume many people have already had this idea, so maybe there are some caveats which make it a no-go?
The idea of moving mass-assignment protection from the M to the VC is great, but the duplication in the views and controllers bothers me. The form rendered with a FormBuilder already has all the information, which fields are permitted. So why not include a hidden input with the field names (and a secure checksum) as part of the form submission?
There probably needs to be a lower-level API to declare a field as permitted without rendering it (so that the form can be manipulated on client side with JS), or maybe even conditionally modify the field list in the controller, and probably a million other tweaks, but the simplest solution should work for most cases. Some controllers handling form-less requests (e.g. API requests) would of course still need to explicitly whitelist their params.
I'd like to work on it if you guys think that's a good idea.
--
Regards,
Olek Janiszewski
Rafael Mendonça França
Jan 17, 2013, 7:39:04 AM1/17/13
to rubyonra...@googlegroups.com
Yehuda Katz started an implementation of this feature and found some problems with cached forms. We end up to not implement this for Rails 4.
Maybe he can give more information about the problems.
--Regards,Olek Janiszewski--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/sCVxeJ9DFnkJ.
To post to this group, send email to rubyonra...@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-co...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Olek Janiszewski
Jan 17, 2013, 11:21:46 AM1/17/13
to rubyonra...@googlegroups.com
> Yehuda Katz started an implementation of this feature and found some problems with cached forms. We end up to not implement this for Rails 4.
> Maybe he can give more information about the problems.
> Maybe he can give more information about the problems.
Thanks Rafael. I'm curious about the problems that Yehuda ran into. I've been thinking about caching as well, but I can't think of a situation where it may be a problem - after all, the fields list and the checksum should be a function of the form inputs and the server-side secret, not cookies, the session or anything else request-specific. What am I missing?
Regards,
Olek Janiszewski
Reply all
Reply to author
Forward
0 new messages