Mongoid and mass assignment

Question

I have the following mogoid document definition/class:

class Exercise
  include Mongoid::Document
  field :name, :type => String
  field :description, :type => String

  belongs_to :group

  validates_presence_of :name, :description
end

I then have the following controller and save method:

class ExercisesController < ApplicationController
  respond_to :json

  def create
    @exercise = Exercise.create(params[:exercise])
    @exercise.save!
    respond_with @exercise
  end
end

This seems wrong to me and open to mass assignment problems.

How do people normally protect against this and would using the strong parameters gem be a good idea?

It's a good habit to explicitly use `attr_accessible` to whitelist attributes. — Benjamin Tan Wei Hao, Jul 21 '12 at 07:15

score 1 · Answer 1 · answered Aug 22 '12 at 08:04

1

Yes you should use the strong_parameters gem, it will be the default mass-assignment protection in rails 4

answered Aug 22 '12 at 08:04

m4tm4t

2,361
1
21
37

score 0 · Answer 2 · answered Jul 21 '12 at 11:40

0

You can use attr_accessible as 'standard' protection. This of course still has the disadvantage that you expose a lot of fields to the interface, whereas you might want to expose only a few, but need to expose those fields in other controllers.

answered Jul 21 '12 at 11:40

markijbema

3,985
20
32

Mongoid and mass assignment

2 Answers2