Regarding Getting Started with Rails — Ruby on Rails Guides
The mass assignment in the code example
respond_to do |format| if @post.update_attributes(params[:post]) format.html { redirect_to(@post, ...
allows to edit the comments, too. This is not a problem because later, authentication is added for this method. However, I think that newcomers (who the guides are for) will think that update_attributes (without any security measurements) is a good practise to update their models.
For instance, I didn't realize the security hole in the following code until now: class A has_many :b end class B belongs_to :a end
and then in the b controller: @a = A.find params[:a_id] @b = a.find params[:b_id] @b.update_attributes params[:b]
this will allow the user to assign B to another A which is not wanted in most cases.
So, I would ask if you think that a warning of mass-assignment without attr_accessible and to read the security guide would be a good thing at the end of the "Editing posts" section.
Also, Securing Rails Applications — Ruby on Rails Guides could be more detailled.
Do you think it makes sense when I write some lines for it?
