Can't mass-assign protected attributes: city_id, lng, lat about adopt-a-hydrant HOT 6 CLOSED

I enabled attribute whitelisting in 6b2c541 as a security measure after a vulnerability in Rails was made public. This patch inadvertently prevented data seeding, which I never noticed, since my local database was seeded long ago (and there are no tests for seeding data). Your workaround will allow data seeding but it should not be committed, lest you open a security hole in Adopt-a-Hydrant. This will be fixed in Rails 4 with strong parameters, which should allow unencumbered seeding of data, since attribute checking will move from the model to the controller.

from adopt-a-hydrant.

Hey Erik,

Thanks for the explanation. So I ran into this same issue when I tried to adopt a hydrant. I used an attr_accessible declaration for the user_id; otherwise the POST request wasn't working. How does the live site get around this issue?

from adopt-a-hydrant.

For all I know, it doesn't work in production. I pushed this change in the middle of June, when the site wasn't active for the winter. It may be broken now, but at least it's secure, right? :wink2:

I'll look into this when I get a chance. Maybe I'll add strong parameters, which is available to use in Rails 3.2 apps as a gem. Or maybe you could work on that?

from adopt-a-hydrant.

I'll take a look at strong parameters and update you on my progress.

from adopt-a-hydrant.

FWIW, I just got around the seed data problem by opening up the Thing model in the seeds file, and adding the attr_accessible call there. Here's a commit for reference.

from adopt-a-hydrant.

Closing this after Erik's latest commit: 7004916. Thanks for fixing this Erik!

from adopt-a-hydrant.