How to fix the Rails mass assignment issue?

Question

After the big news yesterday, I've been trying to find a solid article about how to fix this issue with regard to different versions of Rails, and I'm unable to do so.

The best resource that I have found so far is https://gist.github.com/1978249#file_securing_rails_updates.md, but it only provides one solution: adding ActiveRecord::Base.send(:attr_accessible, nil) to the initializer. This is also the solution presented here at http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment at a much earlier time.

However, at the same time, I remember seeing at another place that just turn on the configuration: config.active_record.whitelist_attributes = true should be suffice.

I am thoroughly confused, from all these different resources, I'm in need to decide between two solutions that doesn't have any reference to which versions of Rails they apply to.

Perhaps I had missed a generic article on the fix after the incident, but I had not found a single article on the rails blog that shows this. I was not able to find it elsewhere, could someone please enlighten me on this. Thanks!

Answer 1

I found this in the gist https://gist.github.com/1978249

Add the following initializer:

config/initializers/disable_mass_assignment.rb

ActiveRecord::Base.send(:attr_accessible, nil)

Looks like a temporary fix to me until rails core comes up with something better !!