Even you haven’t heard of mass assignment, it already exists in your first Rails generated scaffold code.
def create @comment = Comment.new(params[:comment]) .. end def update .. @comment.update_attributes(params[:comment]) .. end
Why knowing mass assignment is important?
By default, mass assignment opens up an undesirable security hole,
by allowing web clients to update any attributes they passing in,
including attributes like
For details, you can read:
Mass assignment methods
There are a few ActiveRecord methods that accept mass assignment:
Using any of these methods, means you are now responsible for the safety of the web application.
To use mass assignment safely, we want to specify exactly which attributes allowed to be updated.
attr_accessible on every model
attr_accessible defines a white-list of attributes
that can be updated during mass assignment.
class Comment < ActiveRecord::Base attr_accessible :title, :content end
You may set the white-list default to empty. This forces you to define the whitelist explicitly on a model, before mass assignment can be used.
# config/initializer/enforce_attr_accessible.rb ActiveRecord::Base.send(:attr_accessible, nil)