Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can still use attr_accessible in the controller-layer.

    class AccountsController < ApplicationController
      include ActiveModel::MassAssignmentSecurity

      attr_accessible :first_name, :last_name
      ...
http://api.rubyonrails.org/classes/ActiveModel/MassAssignmen... explicitly states: Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes won’t provide sufficient protection.

I agree with you, though. Model-level attr_accessible, if nothing else, is flatly annoying. I feel inconvenienced by a measure that's supposed to protect against malicious users. And I feel like the terrorists have already won. I'm no MVC guru, but it makes sense to me that the Controller would deal with what amounts to the params that are on their way to the model. Why should the model have to worry about mass assignment?



`except` is a bad idea because it's a black-list, but what's wrong with using `slice` as a white-list?

(Anyway, I just grepped our code and there is only ONE usage of slice in a controller anyway, the rest are explicit, non-mass assignments)




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: