RoR VS Rails?

On Thu, Feb 16, 2006 at 10:45:02PM -0800, Tom M. wrote:

What is it you’re asking for, and what was your point, other
than your admittedly interesting suggestion about safe mode?

Tom - you’re conflating multiple authors.

You responded to a message from Joe, but I wrote some of that.

Particularly, the observation about ruby safe mode was mine. (Which
I’m thinking about, although I’m not terribly familiar with the rails
source yet.)

http://www.sawstop.com/

I tend to go for “hopefully it won’t aim directly at your head when
you first turn it on”.

–
- Adam

** Expert Technical Project and Business Management
**** System Performance Analysis and Architecture
****** [ http://www.everylastounce.com ]

[ Adam Fields (weblog) - - entertaining hundreds of millions of eyeball atoms every day ] … Blog
[ Adam Fields Resume ]… Experience
[ Adam Fields | Flickr ] … Photos
[ http://www.aquicki.com/wiki ]…Wiki
[ http://del.icio.us/fields ] … Links

Tom M. wrote:

On Feb 16, 2006, at 2:15 PM, Pete Y. wrote:

my_object = MyClass.new(params[:my_object])
Yes, the right way to do it…

which is potentially insecure, whereas they should be doing:

This is the #1 security hole in Rails applications. I have found several
apps where this bug could be exploited to gain admin permissions.

my_object = MyClass.new
my_object.a = params[:my_object][:a]
my_object.b = params[:my_object][:b]

or something similar.

Yikes…NO!

Read up on attr_accessible and attr_protected.

Deciding what the web form can change in the model is not the
responsibility of the model, but of the controller. An administrator
might have to edit fields that a normal user is not allowed to edit,
etc. Using attr_accessible and attr_protected for this is a violation of
the MVC concept.