Bug #5158
closed
Remove attr_accessible from Katello
Description
At some point it would be nice to remove the attr_accessible calls from Katello models as we could/should just use strong parameters for mass assignment security.
See the following post for more information on this:
http://blog.remarkablelabs.com/2012/12/strong-parameters-rails-4-countdown-to-2013
Updated by Eric Helms almost 9 years ago
- Translation missing: en.field_release set to 86
As of this comment, I see the following instances still:
vagrant@katello-devel katello (master)$ grep -r attr_accessible app/ app/models/katello/concerns/smart_proxy_extensions.rb: attr_accessible :lifecycle_environment_ids app/models/katello/concerns/container_extensions.rb: attr_accessible :capsule_id app/models/katello/concerns/organization_extensions.rb: attr_accessible :label
Updated by Eric Helms almost 9 years ago
- Blocks Tracker #9259: Rails 4 feature added
Updated by John Mitsch almost 9 years ago
The models that extend foreman will continue to use attr_accessible while foreman uses protected attributes. When they change to strong parameters, we will be able to remove those attr_accessible calls
Updated by Eric Helms almost 9 years ago
From reviewing the Rails 4 PR, was attr_accessible only needed when those parameters were set via a create or update_attributes call? Could we change where those variables are assigned to the block/direct method to remove these?
Updated by John Mitsch almost 9 years ago
They are mostly through create or update_attributes afaik, but would have to look closer to be sure. Is there a benefit to setting them directly vs. using attr_accessible?
Updated by David Davis almost 9 years ago
- Status changed from New to Closed
Decided to close for now. It's not an issue unless foreman drops protected attributes and hopefully they will notify us before doing so.
Updated by David Davis over 8 years ago
- Is duplicate of Feature #15741: Use parameter_filter instead of attr_accessible added