Mass assignment is not restricted using attr_accessible Open
class Role < ActiveRecord::Base
- Read upRead up
- Exclude checks
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible
inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of attr_protected
- especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected
will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
Pass __FILE__
and __LINE__
to eval
method, as they are used by backtraces. Open
class_eval("@#{name}_role ||= self.find_by_name_and_authorizable_id(name, authorizable_id, :select => 'id')")
- Read upRead up
- Exclude checks
This cop checks eval
method usage. eval
can receive source location
metadata, that are filename and line number. The metadata is used by
backtraces. This cop recommends to pass the metadata to eval
method.
Example:
# bad
eval <<-RUBY
def do_something
end
RUBY
# bad
C.class_eval <<-RUBY
def do_something
end
RUBY
# good
eval <<-RUBY, binding, __FILE__, __LINE__ + 1
def do_something
end
RUBY
# good
C.class_eval <<-RUBY, __FILE__, __LINE__ + 1
def do_something
end
RUBY
Pass __FILE__
and __LINE__
to eval
method, as they are used by backtraces. Open
class_eval("@role = @#{name}_role")
- Read upRead up
- Exclude checks
This cop checks eval
method usage. eval
can receive source location
metadata, that are filename and line number. The metadata is used by
backtraces. This cop recommends to pass the metadata to eval
method.
Example:
# bad
eval <<-RUBY
def do_something
end
RUBY
# bad
C.class_eval <<-RUBY
def do_something
end
RUBY
# good
eval <<-RUBY, binding, __FILE__, __LINE__ + 1
def do_something
end
RUBY
# good
C.class_eval <<-RUBY, __FILE__, __LINE__ + 1
def do_something
end
RUBY
Unused method argument - authorizable_id
. If it's necessary, use _
or _authorizable_id
as an argument name to indicate that it won't be used. Open
def self.user_role_for(user, name, authorizable_id, options = {})
- Read upRead up
- Exclude checks
This cop checks for unused method arguments.
Example:
# bad
def some_method(used, unused, _unused_but_allowed)
puts used
end
Example:
# good
def some_method(used, _unused, _unused_but_allowed)
puts used
end