Rails 4 强参数:我可以“排除"/黑名单属性而不是许可/白名单吗? [英] Rails 4 Strong Parameters : can I 'exclude' / blacklist attributes instead of permit / whitelist?

问题描述

我正在将 Rails 3 应用程序迁移到 Rails 4，我正在将 attr_accessible 属性转换为控制器中的强参数.API 文档展示了如何允许"属性:

I'm migrating a Rails 3 app to Rails 4 and I'm in the process of converting attr_accessible properties to strong parameters in the controller. The API Documentation shows how to 'permit' attributes:

def person_params
  params.require(:person).permit(:name, :age)
end

然而，我的绝大多数属性都是批量分配安全的.我只需要将 :account_id 和 :is_admin 等几个属性列入黑名单.

However the vast majority of my attributes are mass-assignment safe. It's only a few attributes like :account_id and :is_admin that I need to blacklist.

是否可以将属性列入黑名单而不是将几乎所有属性列入白名单?例如:

Is it possible to blacklist attributes instead of whitelisting almost every attribute? E.g something like:

def user_params
  params.require(:user).exclude(:account_id, :is_admin)
end

推荐答案

不，这是不可能的.
将属性列入黑名单将是一个安全问题，因为您的代码库可以发展，而其他应该列入黑名单的属性将来可能会被遗忘.

No, this is not possible.
Blacklisting attributes would be a security issue, since your codebase can evolve, and other attributes, which should be blacklisted can be forgotten in the future.

在实施时添加所有列入白名单的属性可能看起来很复杂.
但是，这是确保您的应用程序安全并避免干扰事物的唯一方法.

Adding all your whitelisted attributes might seem like a complicated thing when implementing it.
However, it's the only way of keeping your application secure and avoiding disturbing things.

这篇关于Rails 4 强参数:我可以“排除"/黑名单属性而不是许可/白名单吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！