Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attr-accessible can be damaging, is not always necessary. #60

Merged
merged 2 commits into from
Nov 23, 2012
Merged

attr-accessible can be damaging, is not always necessary. #60

merged 2 commits into from
Nov 23, 2012

Conversation

graemeworthy
Copy link
Contributor

Problem:

changes in the attr accessable patch from fabn/attr-accessible-patch
cause a problem on any model which does not already have attr_accessible set
and as a result triggers the "Can't mass-assign protected attributes"

commit where problem was introduced:

md5: d8c24c0

Test for problem:

The example included here in a test shows that adding attr_accessible to a model that
does not currently have mass assignment protection enabled, triggers mass_assignment
protection.

Solution:

I understand that this patch was inteded as a workaround, so as to add 'position'
to the list of available mass assignable attributes of the model,

The problem that required the offending patch is addressable in another manner:
it is not necessary to use 'update_attributes!' to set one known attribute.
instead, i have altered this to use update_attribute, as it doesn't trigger mass_assignment protection.
update_attribute only updates one attribute at a time, therefore avoiding 'mass' assignment.

that being said, it may still be desirable to add 'position' (or it's configured alternate)
to the list of mass_assignable attributes, but only if there is already such a list,

this patch performs a check to see if here is already a whitelist, and if so, adds itself to it.

@graemeworthy
Problem:
b4cbda4 
changes in the attr accessable patch from fabn/attr-accessible-patch
cause a problem on any model which does not already have attr_accessible set
and as a result triggers the "Can't mass-assign protected attributes"

commit where problem was introduced:
md5: d8c24c0

test for problem:
The example included here in a test shows that adding attr_accessible to a model that
does not currently have mass assignment protection enabled, triggers mass_assignment
protection.

Solution:
I understand that this patch was inteded as a workaround, so as to add 'position'
to the list of available mass assignable attributes of the model,

The problem that required the offending patch is addressable in another manner:
it is not necessary to use 'update_attributes!' to set one known attribute.
instead, i have altered this to use update_attribute, as it doesn't trigger mass_assignment protection.
update_attribute only updates one attribute at a time, therefore avoiding 'mass' assignment.

-
that being said, it may still be desirable to add 'position' (or it's configured alternate)
to the list of mass_assignable attributes, but only if there is already such a list,

this patch performs a check to see if here is already a whitelist, and if so, adds itself to it.
@swanandp
Copy link
Contributor

There was a recent pull request, which addressed the same issue. It wrapped the column update in a separate method, which will then use the []= method. Can you check if it works for you?

@graemeworthy
Incorporates changes made by vesan
7f4678f 
Vesan's idea of consolodating position changes into one method was a good one.
https://github.com/vesan/acts_as_list/tree/mass-assignment-protection-fix
And it successfully avoids mass assignment problems.

I have incorporated his work into my solution to a similar problem.
My fork has the additional advantage of:
- adding 'position_column' to the list of assignable attributes if there is such a list.
- having a regression test against accidentally triggering the same error again.
@graemeworthy
Copy link
Contributor Author

I have incorporated the changes made by vesan in the recent pull request #56.
Using direct assignment does indeed avoid triggering mass assignment.

in issue #50 people were complaining that :position was not set accessible

I don't want to make it accessible and I didn't have to in the past. Could you add support for non accessible position > like there use to be?

My changeset here also includes a test to ensure that attr_accessible is not arbitrarily set.
And provides a mechanism for adding position_column to the attr_accessible list were there to be one.

@swanandp
Copy link
Contributor

Looks good, thanks!

swanandp added a commit that referenced this pull request Nov 23, 2012
@swanandp
Merge pull request #60 from graemeworthy/master
094b39c 
attr-accessible can be damaging, is not always necessary.
@swanandp swanandp merged commit 094b39c into brendon:master Nov 23, 2012
@swanandp swanandp mentioned this pull request Nov 23, 2012
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@graemeworthy @swanandp