jbarnette/ar.rb

Created March 5, 2012 02:37

Star 5 You must be signed in to star a gist
Fork 1 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/jbarnette/1976133.js"></script>
Save jbarnette/1976133 to your computer and use it in GitHub Desktop.

Download ZIP

Raw

ar.rb

	class ActiveRecord::Base
	attr_accessible nil

	def update_attributes *args
	raise "Don't call #{self.class.name}#update_attributes. " +
	"Mass assignment is pure evil."
	end
	end

benatkin commented Mar 5, 2012

/config/initializers/ar.rb

sgruhier commented Mar 5, 2012

efficient !

mhuggins commented Apr 3, 2012

Can you clarify why update_attributes is bad? The Rails Security Guide states:

In a similar way, new, create, create!, update_attributes, and update_attributes! methods all respect mass-assignment security and accept either :as or :without_protection options.

Given that, I fail to see why disabling update_attributes is necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment