diff --git a/README.md b/README.md index 0af8d29c..519b9b6d 100644 --- a/README.md +++ b/README.md @@ -174,14 +174,22 @@ company.associated_audits.last.auditable # => # ## Gotchas -### ActiveRecord Accessible Attributes +### Accessible Attributes -If your model calls `attr_accessible` after `audited`, you'll need to set the `:protect => false` option. By default, Audited uses `attr_protected` to prevent malicious users from dissociating your audits, but Rails doesn't allow both `attr_protected` and `attr_accessible`. +Audited assumes you are using `attr_accessible`, however, if you are using `attr_protected` or just going at it unprotected you will have to set the `:allow_mass_assignment => true` option. + +If using `attr_protected` be sure to add `audit_ids` to the list of protected attributes to prevent data loss. + +```ruby +class User < ActiveRecord::Base + audited :allow_mass_assignment => true +end +``` ```ruby class User < ActiveRecord::Base - audited :protect => false - attr_accessible :name + audited :allow_mass_assignment => true + attr_protected :logins, :audit_ids end ``` diff --git a/lib/audited/auditor.rb b/lib/audited/auditor.rb index 1a90ca8a..44f39e8d 100644 --- a/lib/audited/auditor.rb +++ b/lib/audited/auditor.rb @@ -47,8 +47,6 @@ def audited(options = {}) # don't allow multiple calls return if self.included_modules.include?(Audited::Auditor::AuditedInstanceMethods) - options = { :protect => accessible_attributes.blank? }.merge(options) - class_attribute :non_audited_columns, :instance_writer => false class_attribute :auditing_enabled, :instance_writer => false class_attribute :audit_associated_with, :instance_writer => false @@ -68,12 +66,11 @@ def audited(options = {}) end attr_accessor :audit_comment - unless accessible_attributes.blank? || options[:protect] + unless options[:allow_mass_assignment] attr_accessible :audit_comment end has_many :audits, :as => :auditable, :class_name => Audited.audit_class.name - attr_protected :audit_ids if options[:protect] Audited.audit_class.audited_class_names << self.to_s after_create :audit_create if !options[:on] || (options[:on] && options[:on].include?(:create)) diff --git a/spec/audited/adapters/active_record/auditor_spec.rb b/spec/audited/adapters/active_record/auditor_spec.rb index dc7d8a26..804b9126 100644 --- a/spec/audited/adapters/active_record/auditor_spec.rb +++ b/spec/audited/adapters/active_record/auditor_spec.rb @@ -461,13 +461,13 @@ class Secret < ::ActiveRecord::Base it "should not raise error when attr_accessible is set and protected is false" do expect { - Models::ActiveRecord::UnprotectedUser.new(:name => 'No fail!') + Models::ActiveRecord::AccessibleAfterDeclarationUser.new(:name => 'No fail!') }.to_not raise_error end it "should not rause an error when attr_accessible is declared before audited" do expect { - Models::ActiveRecord::AccessibleUser.new(:name => 'No fail!') + Models::ActiveRecord::AccessibleAfterDeclarationUser.new(:name => 'No fail!') }.to_not raise_error end end diff --git a/spec/audited/adapters/mongo_mapper/auditor_spec.rb b/spec/audited/adapters/mongo_mapper/auditor_spec.rb index b10df298..a3877137 100644 --- a/spec/audited/adapters/mongo_mapper/auditor_spec.rb +++ b/spec/audited/adapters/mongo_mapper/auditor_spec.rb @@ -463,13 +463,13 @@ class Secret it "should not raise error when attr_accessible is set and protected is false" do expect { - Models::MongoMapper::UnprotectedUser.new(:name => 'No fail!') + Models::MongoMapper::AccessibleAfterDeclarationUser.new(:name => 'No fail!') }.to_not raise_error end it "should not rause an error when attr_accessible is declared before audited" do expect { - Models::MongoMapper::AccessibleUser.new(:name => 'No fail!') + Models::MongoMapper::AccessibleAfterDeclarationUser.new(:name => 'No fail!') }.to_not raise_error end end diff --git a/spec/support/active_record/models.rb b/spec/support/active_record/models.rb index 3e7ffc35..8ea5a54c 100644 --- a/spec/support/active_record/models.rb +++ b/spec/support/active_record/models.rb @@ -4,7 +4,7 @@ module Models module ActiveRecord class User < ::ActiveRecord::Base - audited :except => :password + audited :allow_mass_assignment => true, :except => :password attr_protected :logins @@ -18,13 +18,13 @@ class CommentRequiredUser < ::ActiveRecord::Base audited :comment_required => true end - class UnprotectedUser < ::ActiveRecord::Base + class AccessibleAfterDeclarationUser < ::ActiveRecord::Base self.table_name = :users - audited :protect => false + audited attr_accessible :name, :username, :password end - class AccessibleUser < ::ActiveRecord::Base + class AccessibleBeforeDeclarationUser < ::ActiveRecord::Base self.table_name = :users attr_accessible :name, :username, :password # declare attr_accessible before calling aaa audited @@ -32,7 +32,7 @@ class AccessibleUser < ::ActiveRecord::Base class NoAttributeProtectionUser < ::ActiveRecord::Base self.table_name = :users - audited + audited :allow_mass_assignment => true end class UserWithAfterAudit < ::ActiveRecord::Base diff --git a/spec/support/mongo_mapper/models.rb b/spec/support/mongo_mapper/models.rb index 6a23ebc0..f1f6535b 100644 --- a/spec/support/mongo_mapper/models.rb +++ b/spec/support/mongo_mapper/models.rb @@ -15,7 +15,7 @@ class User key :logins, Integer, :default => 0 timestamps! - audited :except => :password + audited :allow_mass_assignment => true, :except => :password attr_protected :logins @@ -38,7 +38,7 @@ class CommentRequiredUser audited :comment_required => true end - class UnprotectedUser + class AccessibleAfterDeclarationUser include ::MongoMapper::Document key :name, String @@ -49,11 +49,11 @@ class UnprotectedUser key :logins, Integer, :default => 0 timestamps! - audited :protect => false + audited attr_accessible :name, :username, :password end - class AccessibleUser + class AccessibleBeforeDeclarationUser include ::MongoMapper::Document key :name, String @@ -79,7 +79,7 @@ class NoAttributeProtectionUser key :logins, Integer, :default => 0 timestamps! - audited + audited :allow_mass_assignment => true end class UserWithAfterAudit