-
-
Save haikusw/1975696 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class PostsController < ActionController::Base | |
| def create | |
| Post.create(post_params) | |
| end | |
| def update | |
| Post.find(params[:id]).update_attributes!(post_params) | |
| end | |
| private | |
| def post_params | |
| params[:post].slice(:title, :content) | |
| end | |
| end |
"Good suggestion from @nk:. Mark params as tainted and have create/update_attributes bark if not untainted via #slice and friends." -dhh
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
"Here's the basic pattern we've been using at 37signals to guard against mass-assignment bugs. The right place to guard against these issues is in the controller, not the model. AR's attr_accessible is the wrong way about it." - dhh