Domanda
https://stackoverflow.com/questions/15980968
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianattr_accessible :email, :password, :password_confirmation
If not, can you please give example of method which prevents 'undefined' error when attr_accessible is removed.
Soluzione
It is safe. Attr_accessible is only dangerous for attributes that control your application logic. For example, if you have a flag that says "yes I've checked this user is an admin", and it can be set by the user instead, because it's attr_accessible, then it's a vulnerability.
Since the password is a piece of information that is provided by the user anyway, making it settable by the same user does not change anything.
Altri suggerimenti
If you are security paranoid, you could do this is defining the method password:
def password
self.password
end
this way the password can't be set by hand.
But you shouldn’t worry about it because many login gems like devise needs password in attr_accessible.
