John F. Douthat johndouthat

## security.md

      
              1 file
            
          
              11 forks
            
          
              134 comments
            
          
              102 stars
            
          
                wycats
                / security.md
            
            
              Created
              March 4, 2012 18:06
            
          
    Proposal for Improving Mass Assignment

For a while, I have felt that the following is the correct way to improve the mass assignment problem without increasing the burden on new users. Now that the problem with the Rails default has been brought up again, it's a good time to revisit it.
Sign Allowed Fields

When creating a form with form_for, include a signed token including all of the fields that were created at form creation time. Only these fields are allowed.
To allow new known fields to be added via JS, we could add:

  
## rspec-syntax-cheat-sheet.rb
# RSpec 2.0 syntax Cheet Sheet by http://ApproachE.com

# defining spec within a module will automatically pick Player::MovieList as a 'subject' (see below)
module Player
	describe MovieList, "with optional description" do

	  it "is pending example, so that you can write ones quickly"

	  it "is already working example that we want to suspend from failing temporarily" do
		pending("working on another feature that temporarily breaks this one")
	# RSpec 2.0 syntax Cheet Sheet by http://ApproachE.com

	# defining spec within a module will automatically pick Player::MovieList as a 'subject' (see below)
	module Player
	describe MovieList, "with optional description" do

	it "is pending example, so that you can write ones quickly"

	it "is already working example that we want to suspend from failing temporarily" do
	pending("working on another feature that temporarily breaks this one")