allow config.action_controller.filter_parameter_logging in environment.rb
Reported by Mark Van Holstyn | July 2nd, 2008 @ 06:57 PM | in 2.x
Right now you have to configure parameter logging in the application controller. This patch lets you declare the filter parameter logging in environment.rb.
Comments and changes to this ticket
-
Daniel Morrison July 2nd, 2008 @ 07:25 PM
I really like it. +1
Personally, I'd like to see :password set by default to encourage it as a best-practice. (maybe :ssn, and :credit_card too, but those are less-common)
-
Pratik July 4th, 2008 @ 12:28 AM
What are the benefits of doing it in environment.rb over application.rb ?
Thanks.
-
Pratik July 14th, 2008 @ 04:44 AM
- → State changed from “new” to “wontfix”
I don't really see any benefits. I'm closing this ticket for now. But please feel free to raise the issue in core mailing list and if we have more people in favor of this patch, we can roll it in.
Thanks.
-
Gaius Centus Novus August 7th, 2008 @ 03:28 PM
Sort of. +1 / -1.
Perhaps a middle ground that retains the utility would be a Boolean:
config.actioncontroller.filterparameter_logging = false
rather than the actual fields, which would look more like this:
config.actioncontroller.filterloggingofparameters :password, :ssn, ...
The only reason to have it on is for debugging, which is only done in development (or maybe test), so the finer-grained settings aren't really useful.
-
Daniel Morrison August 7th, 2008 @ 03:43 PM
Gaius,
I definitely disagree. In production, it is more important as you are accepting real passwords, credit cards, and SSNs.
If you're storing credit card numbers, even in log files, you're probably violating your merchant agreements.
-
Gaius Centus Novus August 7th, 2008 @ 04:00 PM
Let me clarify: I was envisioning augmenting the current system wherein fields are declared in the controllers.
That is:
app/controllers/application.rb:
class ApplicationController < ActionController::base filter_parameter_logging :password, :ssn, ... ... endconfig/environments/development.rb:
config.action_controller.filter_parameter_logging = false # or even config.action_controller.filter_parameter_logging = []By default, the filtering would be on, leaving the Controllers to dictate the behavior.
-
Gaius Centus Novus August 7th, 2008 @ 04:02 PM
Now I see your confusion, Daniel.
By "The only reason to have it on is for debugging," I clearly meant "The only reason to have it off is for debugging." [laughs at self being ridiculously bad at proof-reading]
Please Login or create a free account to add a new comment.
You can update this ticket by sending an email to from your email client. (help)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
Repository is at http://github.com/rails/rails
Check out the development master (Edge Rails):
git clone git://github.com/rails/rails.git
Creating or reviewing a patch
See the contributor guide.
Creating a feature request
Please don't. If you want a new feature in Rails, you'll have to pull up your sleeves and get busy yourself. Or convince someone else to do it. See the contributor guide on how to get going. But posting them here is just going to lead to ticket root.
Creating a bug report
When creating a bug report, be sure to include as much relevant information as possible. Post the code sample that causes the problem. Preferably, alter the unit tests and show through either changed or added tests how the expected behavior is not occuring.
Security vulnerabilities should be reported via an email to security@rubyonrails.org, do not use trac for reporting security vulnerabilities. All content in trac is publicly available as soon as it is posted.
Then don't get your hopes up. Unless you have a "Code Red, Mission Critical, The World is Coming to an End" kinda bug, you're creating this ticket in the hope that others with the same problem will be able to collaborate with you on solving it. Do not expect that the ticket automatically will see any activity or that others will jump to fix it. Creating a ticket like this is mostly to help yourself start on the path of fixing the problem and for others to sign on to with a "I'm having this problem too"..
