我正在Mass assignment is not restricted using attr_accessible
我该如何解决这个问题?
答案 0 :(得分:1)
在默认的rails-3.x应用程序中,您将在config/application.rb文件中看到以下行:
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
# config.active_record.whitelist_attributes = true
默认情况下,Rails允许您将任何哈希值分配给模型属性。
This is not a bug in rails. It's just a bit of functionality that makes it quite easy to stab yourself in the face.
一种方法是对上面的行进行评论,这将迫使您明确将每个模型的属性列入白名单或黑名单。 第二种方法是在模型中直接使用attr_accessible或attr_protected并限制mass_assignment。 (我通常会选择第二个)。
此处有更多详情:http://happybearsoftware.com/how-i-avoid-the-rails-mass-assignment-security-mistake.html