> Authentication belongs to the controller. Securing models should
> belong in the validation cycle, ensuring that *all* code hitting the
> models goes through the same security validation process.
Gaspard, I'd argue that the issue at hand is authorization, and not
necessarily validation. A set
I think we are touching a deeper problem here apart from the
accessible/protected issue. From the start we realized that we need to
store valid models in the database so we wrote validations. Strangely,
it did not occur to us that security issues are part of the validation
process. They are not so
On Sun, Mar 1, 2009 at 9:55 PM, Michael Koziarski wrote:
>
> > With 2.3 being so close, I'd think we'd want to consider a change like
> > this for 3.0. What do you guys think?
>
> Definitely not keen on this for 2.3, but for 3.0 it's definitely an
> option. My main concern with adding attr_acces
> With 2.3 being so close, I'd think we'd want to consider a change like
> this for 3.0. What do you guys think?
Definitely not keen on this for 2.3, but for 3.0 it's definitely an
option. My main concern with adding attr_accessible to every model is
that it'll just be seen as noise by most dev
