Topic: scaffold_resource, respond_to and security

I don't feel good about the default RESTful controllers that are generated by scaffold_resource.

Each method contains the following block:

respond_to do |format|
  if @model.save
    flash[:notice] = 'Model was successfully created.'
    format.html  { redirect_to models_url(@model) }
    format.xml   { head :created, :location => model_url(@model) }
  else
    format.html  { render :action => "new" }
    format.xml   { render :xml => @contact.errors.to_xml }
  end
end

I think that the xml-response raises a serious security issue as it exposes *all* of the model's attributes to the client. Most web applications only show those model properties to the user that he is granted to see.

Furthermore I don't get the point of this xml-request-thing. It's nice for about 5% of all applications to provide a xml aware request mechanism, but I'm afraid that at least 80% absolutely don't want this for security reasons.

Re: scaffold_resource, respond_to and security

I agree. It also complicates the code which is unnecessary if you don't need the feature. I think scaffold resource is more of a learning tool so you can see what is possible, it's not something you should use all the time.

Railscasts - Free Ruby on Rails Screencasts