0

I am converting my application to rails 4 from rails 3

in rails 4 attr_accessible is not allowed for that one need to add strong parameter but some where I read that one can use pretected_attribute gem so that you can not change the attr_accessible code to strong_parameter.

My question is using a pretected_attribute is nice idea in rails 4 instead of using strong_paramete.

I need advise.

Any thought is welcome

urjit on rails
  • 1,763
  • 4
  • 19
  • 36

1 Answers1

1

I believe protected_attributes just allows you to add attr_accessible and attr_protected in your models.

Timeline of events

  1. An issue about it was posted discussing the problem with attr_accessible: Mass assignment vulnerability - how to force dev. define attr_accesible?

  2. The author of the issue in #2 hacked github to show the vulnerability. User Hacks GitHub to Showcase Vulnerability After Rails Developers Dismiss His Report

  3. Attr_accessible became secure by default unless otherwise defined in the model.

  4. Rails 4 came with Strong Parameters which included the security option in your controller versus attr_accessible being handled in the model.

  5. Strong Parameters is secure by default meaning you’ll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn’t be exposed.

During the era of defining mass assignment within your model using attr_accessible you could have defined it in the controller using a slice. This would look like:

def create
  @user = User.create(user_params)
end

private

def user_params
  params[:user].slice(:name, :email, :hometown)
end

Slicing the params was not an easy task to use if you use nested attributes. You would need to slice parameters on all places, where you update them in controller. -Reference: Why slicing the params hash poses a security issue on mass-assignment?

Strong Parameters states their approach is an extraction of the slice pattern. Then they state: The whole point of the controller is to control the flow between user and application, including authentication, authorization, and as part of that access control.- Reference: Strong parameters: Dealing with mass assignment in the controller instead of the model

Community
  • 1
  • 1
Daniel
  • 2,950
  • 2
  • 25
  • 45