I have added this fix https://gist.github.com/2382288 for protect all fields against mass assignment in mongoid app.
in my config/initializers/mongoid.rb I have added this fix:
module Mongoid
module MassAssignmentSecurity
extend ActiveSupport::Concern
included do
attr_accessible nil
end
end
module Document
include MassAssignmentSecurity
end
end
My question is:
this fix completely protects your application against attacks mass assignment?
Or is recommended to add attr_accessible all the attributes in each model?
This will make all Mongoid::Documents by default accept no fields to mass-assignment. This is probably not exactly what you want, as you will not be able to @model.update(params[:model)
You'll almost certainly want to go into the document and add:
attr_accessible :first_name, :last_name