Skip to content
Browse files

Add ForbiddenAttributesProtection.attributes_forbidden_by_default to …

…deal with attributes that should be cleaned always in mass assignment (ex. primary_key, inheritance_column)
  • Loading branch information...
1 parent 7b161fb commit 2a0e157d62dda35615129aaedf782a85e9f9fc62 @guilleiguaran guilleiguaran committed Sep 2, 2012
View
10 activemodel/lib/active_model/forbidden_attributes_protection.rb
@@ -3,7 +3,17 @@ class ForbiddenAttributesError < StandardError
end
module ForbiddenAttributesProtection
+ extend ActiveSupport::Concern
+
+ module ClassMethods
+ def attributes_forbidden_by_default
+ []
+ end
+ end
def sanitize_for_mass_assignment(attributes, options = {})
+ attributes.reject! do |key, value|
+ self.class.attributes_forbidden_by_default.include?(key)
+ end
if attributes.respond_to?(:permitted?) && !attributes.permitted?
raise ActiveModel::ForbiddenAttributesError
else
View
5 activemodel/test/cases/forbidden_attributes_protection_test.rb
@@ -36,6 +36,11 @@ class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
assert_equal({ "a" => "b" }, Account.new.sanitize_for_mass_assignment(params))
end
+ test "attributes forbidden by default are cleaned" do
+ params = ProtectedParams.new({ "a" => "b", "id" => 1 }).permit!
+ assert_equal({ "a" => "b" }, Account.new.sanitize_for_mass_assignment(params))
+ end
+
test "regular attributes should still be allowed" do
assert_equal({ a: "b" }, Account.new.sanitize_for_mass_assignment(a: "b"))
end
View
4 activemodel/test/models/account.rb
@@ -1,5 +1,9 @@
class Account
include ActiveModel::ForbiddenAttributesProtection
+ def self.attributes_forbidden_by_default
+ ['id']
+ end
+
public :sanitize_for_mass_assignment
end
View
14 activerecord/lib/active_record/attribute_assignment.rb
@@ -4,6 +4,14 @@ module AttributeAssignment
extend ActiveSupport::Concern
include ActiveModel::DeprecatedMassAssignmentSecurity
include ActiveModel::ForbiddenAttributesProtection
+
+ module ClassMethods
+ def attributes_forbidden_by_default
+ default = [ self.primary_key, self.inheritance_column ]
+ default << 'id' unless self.primary_key == 'id'
+ default
+ end
+ end
# Allows you to set all the attributes at once by passing in a hash with keys
# matching the attribute names (which again matches the column names).
#
@@ -24,12 +32,8 @@ def attributes=(new_attributes)
def assign_attributes(new_attributes, options = {})
return if new_attributes.blank?
- new_attributes.delete(self.class.primary_key)
- new_attributes.delete(self.class.inheritance_column)
- new_attributes.delete('id') unless self.class.primary_key == 'id'
-
attributes = new_attributes.stringify_keys
- multi_parameter_attributes = []
+ multi_parameter_attributes = []
nested_parameter_attributes = []
previous_options = @mass_assignment_options
@mass_assignment_options = options

0 comments on commit 2a0e157

Please sign in to comment.
Something went wrong with that request. Please try again.