Created
October 19, 2011 15:09
-
-
Save lundie/1298567 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def create | |
| @app = App.new(params[:app]) | |
| @app.original = params[:app] | |
| respond_to do |format| | |
| if @app.save | |
| format.html { redirect_to(done_path(@app.member.id), :notice => 'Application was successfully created.') } | |
| else | |
| format.html { render :action => "new" } | |
| end | |
| end | |
| end | |
| #show the original Application | |
| def show | |
| @app = App.new(App.find(params[:id]).original) | |
| end | |
| #Model | |
| class App < ActiveRecord::Base | |
| has_one :applicant | |
| serialize :original, Hash | |
| accepts_nested_attributes_for :applicant | |
| end |
Great point. I have updated it and it seems to work. Thanks for you help!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Eval'ing params - yikes. Maybe rails' attribute whitelisting makes this less of a security issue but I wouldn't rely on it. I would strip out and/or escape anything from params[:app] that isn't expected before stringifying it. Someone with more experience with rails may convince me otherwise but it seems dangerous.
Besides the security issue though, why the need for eval at all? Couldn't you
serialize :originalin your model, then you wouldn't need the step of converting to a string and then eval'ing it, that would be done transparently?