Forum: Ruby on Rails Mass-assignment notification with whiltelist_attributes set to true

308de48f22e6e0577c0b76f4cfdd2b1a?d=identicon&s=25 Ilya Katz (Guest)
on 2013-01-07 23:03
(Received via mailing list)
I just wanted to get everyone's opinion on this before attempting a pull
request.

When mass-assignment is disallowed by default with

config.active_record.whitelist_attributes = true

Two things happen

1. A message is logged "WARNING: Can't mass-assign protected attributes:
blah" (which is the case even if whitelist_attributes is not set to true
2. Mass assignment is not allowed without explicite declaration but
there
is no error, the same application fails to save/update a model that
produces some other error which isn't easily apparent as to why it
happened

I found it useful for my development to make 2 changes

1. Update log message to be more explicit such as  "WARNING: Can't
mass-assign *in SomeModel* protected attributes: blah"
2. Thrown an exception - this would only make sense if
whitelist_attributes
is set to true

Any opinion if this would be a good suggestion for the rails feature
request, specifically #2?

Thanks
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2013-01-07 23:13
(Received via mailing list)
On Jan 7, 5:43pm, Ilya Katz <ilyak...@gmail.com> wrote:

> I found it useful for my development to make 2 changes
>
> 1. Update log message to be more explicit such as "WARNING: Can't
> mass-assign *in SomeModel* protected attributes: blah"
> 2. Thrown an exception - this would only make sense if whitelist_attributes
> is set to true
>
> Any opinion if this would be a good suggestion for the rails feature
> request, specifically #2?
>

#2  already exists:

config.active_record.mass_assignment_sanitizer = :strict

will turn on exception raising. A better error message wouldn't hurt
though

Fred
308de48f22e6e0577c0b76f4cfdd2b1a?d=identicon&s=25 Ilya Katz (Guest)
on 2013-01-08 15:51
(Received via mailing list)
Thanks Fred

Looks like strict sanitizer option is only available in 3.2 (I'm on 3.1
for
now).
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.