Project

General

Profile

Bug #5158

Remove attr_accessible from Katello

Added by David Davis almost 5 years ago. Updated 9 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
API
Target version:
Difficulty:
easy
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

At some point it would be nice to remove the attr_accessible calls from Katello models as we could/should just use strong parameters for mass assignment security.

See the following post for more information on this:

http://blog.remarkablelabs.com/2012/12/strong-parameters-rails-4-countdown-to-2013


Related issues

Is duplicate of Katello - Feature #15741: Use parameter_filter instead of attr_accessibleClosed2016-07-19
Blocks Katello - Tracker #9259: Rails 4 featureResolved2015-02-06

History

#1 Updated by Eric Helms almost 5 years ago

  • Triaged changed from No to Yes

#2 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) set to 86

As of this comment, I see the following instances still:

vagrant@katello-devel katello (master)$ grep -r attr_accessible app/
app/models/katello/concerns/smart_proxy_extensions.rb:        attr_accessible :lifecycle_environment_ids
app/models/katello/concerns/container_extensions.rb:        attr_accessible :capsule_id
app/models/katello/concerns/organization_extensions.rb:        attr_accessible :label

#3 Updated by Eric Helms over 3 years ago

#4 Updated by John Mitsch over 3 years ago

The models that extend foreman will continue to use attr_accessible while foreman uses protected attributes. When they change to strong parameters, we will be able to remove those attr_accessible calls

#5 Updated by Eric Helms over 3 years ago

From reviewing the Rails 4 PR, was attr_accessible only needed when those parameters were set via a create or update_attributes call? Could we change where those variables are assigned to the block/direct method to remove these?

#6 Updated by John Mitsch over 3 years ago

They are mostly through create or update_attributes afaik, but would have to look closer to be sure. Is there a benefit to setting them directly vs. using attr_accessible?

#7 Updated by David Davis about 3 years ago

  • Status changed from New to Closed

Decided to close for now. It's not an issue unless foreman drops protected attributes and hopefully they will notify us before doing so.

#8 Updated by David Davis over 2 years ago

  • Status changed from Closed to Duplicate

#9 Updated by David Davis over 2 years ago

  • Is duplicate of Feature #15741: Use parameter_filter instead of attr_accessible added

Also available in: Atom PDF