Closed edgar closed 11 years ago
Well, mass-assignment is a problem if you expose the model directly through a controller. Maybe I'm wrong but currently this is not the case for authorization model
Edgar González @edgar http://edgar.com.ve
On Jul 9, 2012, at 7:08 PM, James Coglan reply@reply.github.com wrote:
What problem does this solve? Marking all the attributes as mass-assignable is probably not necessary and invites security breaches. I ought to apply
attr_accessible
here but not on such a broad scale.
Reply to this email directly or view it on GitHub: https://github.com/songkick/oauth2-provider/pull/29#issuecomment-6862560
@jcoglan you're right I took a lazy approach. I changed to use attr_accessible nil
in Authorization
model. Please let me know what you think.
thanks
I'm not going to pull this because of the large volume of whitespace and spec changes. I've implemented attr_accessible nil
in this commit: https://github.com/songkick/oauth2-provider/commit/67ff04fab231af3b1787d7133a9b8e884f89205b
Ok, same approach
What problem does this solve? Marking all the attributes as mass-assignable is probably not necessary and invites security breaches. I ought to apply
attr_accessible
here but not on such a broad scale.