@@ -37,6 +37,8 @@ end Now you can safely use <code> User.new(params[:user])</code> in your controller to mass assign only the attributes you've said are safe. +You should use allow_assignment in every controller within your application. By default bouncer will strip everything from the params hash that isn't required by rails to operate. + Why Not Use attr_accessible? ========================== @@ -74,3 +76,5 @@ end </pre> Copyright (c) 2009 Gareth Townsend, released under the MIT license + +Thanks to Josh Bassett for helping nut out <code>self.request.env['rack.routing_args'].keys</code> and other refactorings. README.textile @@ -1,7 +1,9 @@ # Bouncer class ActionController::Base - def self.allow_assignment(*assignable_attributes_hash) + before_filter :cache_params_hash + + def self.allow_assignment(*assignable_attributes_hash) assignable_attributes_hash.each do |attribute_hash| attribute_hash.keys.each do |key| before_filter { |controller| controller.send(:slice_attributes_for, key, attribute_hash[key]) } @@ -10,8 +12,18 @@ class ActionController::Base end private + + def cache_params_hash + @cached_params_hash = params.dup + keys = [:authenticity_token, :_method] + keys += self.request.env['rack.routing_args'].keys + params.slice!(*keys) + end def slice_attributes_for(params_hash_symbol, assignable_attributes) - params[params_hash_symbol].slice!(*assignable_attributes) if params[params_hash_symbol] + if @cached_params_hash[params_hash_symbol] + allowed_attributes = @cached_params_hash[params_hash_symbol].slice(*assignable_attributes) + params[params_hash_symbol] = allowed_attributes + end end end lib/bouncer.rb dadd9842aba7e42cd991aacee2b155dda9247ac3 Gareth Townsend quamen@gmail.com http://github.com/quamen/bouncer/commit/894af7b5ae6ab432ad5f791a19694aa3399085e4 894af7b5ae6ab432ad5f791a19694aa3399085e4 2009-04-28T03:38:01-07:00 2009-04-28T03:31:15-07:00 Automatically strip all params that are not required by rails routing to operate. Re-insert params defined as allowable by allow_assignment method call in controller. 08ad896fc626e6389b70e87d594b4db116b18b17 Gareth Townsend quamen@gmail.com