Rails 4 强参数:我可以“排除"/黑名单属性而不是许可/白名单吗? [英] Rails 4 Strong Parameters : can I 'exclude' / blacklist attributes instead of permit / whitelist?
问题描述
我正在将 Rails 3 应用程序迁移到 Rails 4,我正在将 attr_accessible
属性转换为控制器中的强参数.API 文档展示了如何允许"属性:
I'm migrating a Rails 3 app to Rails 4 and I'm in the process of converting attr_accessible
properties to strong parameters in the controller. The API Documentation shows how to 'permit' attributes:
def person_params
params.require(:person).permit(:name, :age)
end
然而,我的绝大多数属性都是批量分配安全的.我只需要将 :account_id
和 :is_admin
等几个属性列入黑名单.
However the vast majority of my attributes are mass-assignment safe. It's only a few attributes like :account_id
and :is_admin
that I need to blacklist.
是否可以将属性列入黑名单而不是将几乎所有属性列入白名单?例如:
Is it possible to blacklist attributes instead of whitelisting almost every attribute? E.g something like:
def user_params
params.require(:user).exclude(:account_id, :is_admin)
end
推荐答案
不,这是不可能的.
将属性列入黑名单将是一个安全问题,因为您的代码库可以发展,而其他应该列入黑名单的属性将来可能会被遗忘.
No, this is not possible.
Blacklisting attributes would be a security issue, since your codebase can evolve, and other attributes, which should be blacklisted can be forgotten in the future.
在实施时添加所有列入白名单的属性可能看起来很复杂.
但是,这是确保您的应用程序安全并避免干扰事物的唯一方法.
Adding all your whitelisted attributes might seem like a complicated thing when implementing it.
However, it's the only way of keeping your application secure and avoiding disturbing things.
这篇关于Rails 4 强参数:我可以“排除"/黑名单属性而不是许可/白名单吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!