tag:blogger.com,1999:blog-4937488729022245645.post649787285609181801..comments2008-03-24T22:00:56.426-05:00Christopher J. Bottarohttp://www.blogger.com/profile/14116593743589959438noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4937488729022245645.post-25616597438722849022008-03-24T22:00:00.000-05:002008-03-24T22:00:00.000-05:002008-03-24T22:00:00.000-05:00Ok, I implemented whitelisting (param_accessible) and also the features I talked about in the previous comment.<BR/><BR/>Please see the <A HREF="http://www.stochasticbytes.com/doc/param_protected/README.html" REL="nofollow">README</A> for documentation.Christopher J. Bottarohttp://www.blogger.com/profile/14116593743589959438noreply@blogger.comtag:blogger.com,1999:blog-4937488729022245645.post-48498521329961720842008-03-11T02:09:00.000-05:002008-03-11T02:09:00.000-05:002008-03-11T02:09:00.000-05:00Hello mina,<BR/><BR/>Yes, param_accessible is in the works. I'm also working on cleaning up the code and making it more efficient, but the big feature is having it work with arrays...<BR/><BR/>For example you have a form with inputs like this:<BR/>&lt;input name="names[][first]" /&gt;<BR/>&lt;input name="names[][middle]" /&gt;<BR/>&lt;input name="names[][last]" /&gt;<BR/><BR/>And thus params that come across like:<BR/>{ :names => [ {:first => Jane, :middle => Rae, :last => Doe}, {:first => John, :middle => Rambo, :last => Doe} ] }<BR/><BR/>Then you can say:<BR/>param_protected 'names/middle'<BR/><BR/>And it will trim the params to:<BR/>{ :names => [ {:first => Jane, :last => Doe}, {:first => John, :last => Doe} ] }<BR/><BR/>Hopefully I can knock that out in a couple weeks.Christopher J. Bottarohttp://www.blogger.com/profile/14116593743589959438noreply@blogger.comtag:blogger.com,1999:blog-4937488729022245645.post-51706873080335228982008-03-10T15:40:00.000-05:002008-03-10T15:40:00.000-05:002008-03-10T15:40:00.000-05:00Very cool work Christopher (especially with the nested stuff). I completely agree with your sentiments. I still think there's still a place for attr_protected in the model for truly immutable attributes like :id, but the rest of the filtering is more suited as you've mentioned in the controller. <BR/><BR/>My beef though with attr_protect (and param_protected) is that they're blacklists which, in case of filtering, are much less effective security-wise compared to whitelists.<BR/><BR/>Do you have plans for a param_allowed ;-) ?Minahttp://www.blogger.com/profile/07158720619849676403noreply@blogger.comtag:blogger.com,1999:blog-4937488729022245645.post-25634453884300745952008-01-21T20:57:00.000-06:002008-01-21T20:57:00.000-06:002008-01-21T20:57:00.000-06:00Alright, it now works with nested params.<BR/><BR/>param_protected 'user/user_id'<BR/><BR/>will now remove params[:user][:user_id].<BR/><BR/>This has not been extensively tested, so please let me know about any bugs.Christopher J. Bottarohttp://www.blogger.com/profile/14116593743589959438noreply@blogger.com