Reputation: 6036
Mass assignment is not restricted using attr_accessible
I am getting Mass assignment is not restricted using attr_accessible
How can I fix this?
Upvotes: 2
Views: 1864
Answers (1)
Reputation: 942
In a default rails-3.x application you will see the following lines in your config/application.rb file:
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
# config.active_record.whitelist_attributes = true
By default Rails allows you to assign any hash to model attributes.
This is not a bug in rails. It's just a bit of functionality that makes it quite easy to stab yourself in the face.
One way is to comment above line which will force you to explicitly whitelist or blacklist attributes of every model. The second way is to directly use attr_accessible or attr_protected in models and restrict mass_assignment. (I usually go with the second).
More details here: http://happybearsoftware.com/how-i-avoid-the-rails-mass-assignment-security-mistake.html
Upvotes: 1
Related Questions
- How to mass-assign in rails even though attributes are in attr_accessible?
- Why am I getting a Mass Assignment Error when I'm using Attr_Accessable?
- "Can't mass-assign protected attributes" error, even they exists in attr_accessible
- Can't mass-assign protected attributes attr_accessor and attr_accessible
- Rails mass assignment definition and attr_accessible use
- How to non-mass-assigned without attr_accessible?
- Rails - attr_accessible & mass assignment
- Can't mass-assign protected attributes even if I use attr_accessible
- Rails atttr_accesible not working as documented
- What is the opposite of attr_accessible in Rails?