Hacker News new | past | comments | ask | show | jobs | submit login

In Shapado we use a safe_update methode like this so we always need to specify which attribute can be updated:

@question.safe_update(%w[title body language tags], params[:question])

I like this better than my solution, which was to specific which params were allowed for each controller action and remove any that weren't allowed.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact