如何在Mongoid应用程序中保护所有字段免受质量分配 [英] How protect all fields against mass assignment in mongoid app

问题描述

我已添加此修复程序 https://gist.github.com/2382288 用于保护所有字段反对在monongoid应用程序中进行质量分配.

I have added this fix https://gist.github.com/2382288 for protect all fields against mass assignment in mongoid app.

在我的config/initializers/mongoid.rb中已添加此修复程序:

in my config/initializers/mongoid.rb I have added this fix:

module Mongoid
  module MassAssignmentSecurity
    extend ActiveSupport::Concern

    included do
      attr_accessible nil
    end
  end

  module Document
    include MassAssignmentSecurity
  end
end

我的问题是:

此修补程序可以完全保护您的应用程序免受大规模分配的攻击吗?

还是建议添加 attr_accessible 每个模型中的所有属性?

推荐答案

默认情况下，这将使所有Mongoid :: Document不接受大量分配的字段.这可能不完全是您想要的，因为您将无法@model.update(params[:model)

This will make all Mongoid::Documents by default accept no fields to mass-assignment. This is probably not exactly what you want, as you will not be able to @model.update(params[:model)

您几乎肯定会想要进入文档并添加:

You'll almost certainly want to go into the document and add:

attr_accessible :first_name, :last_name

这篇关于如何在Mongoid应用程序中保护所有字段免受质量分配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！