Reputation: 5687
Mass Assignment issue in rails
I was going through this article below. http://tutorials.jumpstartlab.com/projects/blogger.html#i2:-adding-comments
Below is the code where we create a new Comment object and associate with corresponding article.
@comment = Comment.new
@comment.article_id = @article.id
Can anyone explain me what the author is trying to say below. Can anyone show me how to do otherwise without the security thing for better understanding.
Due to the Rails’ mass-assignment protection, the
article_idattribute of the newCommentobject needs to be manually assigned with theidof theArticle.
Upvotes: 0
Views: 90
Answers (1)
Reputation: 44725
The article you were reading was referring to rails 3. Rails 3 doesn't use strong parameters like Rails 4 and instead uses attr_accessible with a list of attributes which are permitted to be mass assigned.
Mass assignment in ruby is everything where you use a hash to set multiple variables at once in methods like new, create or assign_attributes. Quite often it is not a good idea to allow mass assignment of foreign keys.
In summary, author meant that those two lines cannot be written as:
@comment = Comment.new(article_id: @article.id)
since article_id is not listed in attr_accessible and it will raise Mass Assignment security exception.
Upvotes: 2
Related Questions
- Mass Assignment Vulnerability
- I am able to mass assign a variable in rails 4
- mass-assignment issues in Rails 4
- Mass Assignment Issue Rails 3
- Rails mass assignment issue
- Mass Assignment Rails 4
- Ruby on Rails - Mass assignment issue
- Mass assignment in rails3.1
- Getting Mass Assignment warning but don't know why
- How to handle mass assignment in this case