Would be nice to allow redefinition of accessible_attributes via self.accessible_attributes in models.
The problem with attr_accessible is that it is cumulative/additive, but it could be interpreted by the developer as redefinition, and that could lead to nasty security issues.
I think that attr_accessible and attr_protected should go the way of set_primary_key and set_table_name (which both got deprecated and changed to self.primary_key= and self.table_name=), such that self.accessible_attributes could be manipulated in a more well-defined way.
The following would be equivalent to attr_accessible :name, :status:
self.accessible_attributes[:default] += :name, :status
The following would be equivalent to attr_protected :name, :status:
self.accessible_attributes[:default] -= :name, :status
The following would be redefining the whitelist, similar to what can be done with self._accessible_attributes[:default] = :name, :status currently (even if you shouldn’t be messing with internals):
self.accessible_attributes[:default] = :name, :status
It’s too bad that += can’t be defined on the self.accessible_attributes Hash instance, because it would be nice not to have to specify the role if it is :default. I know mass assignment security is somewhat being taken off of the stove with strong_parameters being integrated, but it’s still there.
What do you think?