This project is archived and is in readonly mode.

#6377 ✓stale
Joseph Palermo

Support for disabling other_ids=(id,id,...) method on associations?

Reported by Joseph Palermo | February 5th, 2011 @ 04:03 PM

In my mind, the _ids= setter methods are very dangerous. I'd say typically people use update_attributes, and typically people don't make all of their models attr_acessible.

This combination leads to the situation where malicious users can do very unexpected things, very easily.

The regular others= method is safe because you can't get classes through a form post, but getting a list of ids through a form post is a no brainer.

Nested Attributes are very well done, safe by default. You have to turn them on, you even have to explicitly turn on the ability to destroy. Giving every has_many association a unprotected id setter is just not safe by default.

So what I propose, and if there is support for this I can code it up, is a Rails::Application level config flag that would cause the ids= to not be created. In my mind, at some point moving forward, this should go from being off by default, to on by default. But that's a decision of others to make. Perhaps there could also be an option to has_many to enable the creation of the ids= setter, even if the app level flag is set to disable them.

Other options would be to keep the other_ids= setters, but make them attr_protected. This is a little bit uglier, since there is a dependency if you have already called attr_accessible we would need to detect that, and not do anything in that case. But also doable.

Thoughts? Am I the only one who thinks these are dangerous methods to create by default?

Comments and changes to this ticket

  • rails

    rails May 7th, 2011 @ 01:00 AM

    • State changed from “new” to “open”

    This issue has been automatically marked as stale because it has not been commented on for at least three months.

    The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

    Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

  • rails

    rails May 7th, 2011 @ 01:00 AM

    • State changed from “open” to “stale”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Pages