attr_protected and attr_accessible?

[roryfranklin]

Hi,

Is there anyway to use attr_protected and attr_accessible (or similar) to prevent mass assignment when updating documents?

[roidrage]

We built that into SimplyStored (http:https://github.com/peritor/simply_stored), a layer on top of CouchPotato. Even though I'm not a fan of mass assignment on the model level, maybe we could move that code into CouchPotato? Just an offer, personally I prefer it on a layer above, mass assignment protection more often than not is a hassle for me.

[roryfranklin]

I was using SimplyStored but found it difficult to use (more specifically custom views) so went with just straight CouchPotato instead and I'm having more joy.

In terms of mass assignment - for me it is things like having an 'admin' property (among other things) that I'd rather isn't possible to be set through mass assignment.

[langalex]

try param_protected if you're using rails which works on the controller level. this is a security problem of the http layer so IMHO it should be handled there. if you insist on doing it in the model you could write a plugin in 10 lines of code to do it. I won't pull this into couch potato though.