config.active_record.whitelist_attributes = false in Rails 4.2 App

Question

Our rails 4.2 app consists of several rails engines with or without gem 'protected_attributes'. What we find out is that in app's application.rb, it has to be:

config.active_record.whitelist_attributes = false

Otherwise, any create/update can not be carried out because the params can not be assigned to instance variable. Our question is that, if there is no gem protected_attributes in rails app, do we still need config.active_record.whitelist_attributes = false in application.rb? Is this for Rails 3.x or app with gem protected_attributes?

Answer 1

This comes from the protected_attributes gem.

When whitelist_attributes = true it causes attr_accessible(nil) to be added by default for all models meaning you ca not mass assign any attributes for any models unless it has its own attr_accessible or attr_protected

This can be seen in an older version of the README.md

As of version 1.1.2 this is now depreciated and does nothing other than log a depreciation warning

So if you are on a Rails 4+ application and do not have the protected_attributes gem then you can safely remove it

Answer 2

I've looked through several rails 4 apps I have, none of them contained that config, and when I googled the config name, the protected_attributes gem came in the results, so I think you could assume that it's only related to the protected_attributes gem and that you don't need it