assignment protection now extends to nested attributes via hash/array…

… nesting example: @user.assign(params[:user], [:name, :role_id, {:friend_attributes => [:id, :name, :_destroy]}])
cainlevy · Aug 26, 2010 · 181b724 · 181b724
1 parent 0ad1130
commit 181b724
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/lib/mass_assignment.rb b/lib/mass_assignment.rb
@@ -31,7 +31,13 @@ def filter_attributes(attributes, options = {}) # could surely be refactored.
       elsif options[:only] == :all
         attributes
       else
-        whitelist = options[:only].map(&:to_s)
+        whitelist = options[:only].map{|i| i.is_a?(Hash) ? i.keys.first.to_s : i.to_s}
+        options[:only].each do |i|
+          next unless i.is_a? Hash
+          name = i.keys.first.to_s
+          next unless attributes[name].is_a? Hash
+          attributes[name] = filter_attributes(attributes[name], :only => i.values.first)
+        end
         attributes.reject { |k, v| !whitelist.include?(k.gsub(/\(.+/, "")) }
       end
     elsif options[:except]

diff --git a/test/mass_assignment_test.rb b/test/mass_assignment_test.rb
@@ -10,6 +10,14 @@ def columns
       ]
     end
   end
+
+  def friend
+    @friend ||= User.new
+  end
+
+  def friend_attributes=(attributes)
+    friend.attributes = attributes
+  end
 end
 
 class ProtectedUser < User
@@ -65,6 +73,12 @@ def setup
     assert_equal "Bob", @user.name
     assert_nil @user.role_id
   end
+
+  test "nested assignment" do
+    @user.assign(@attributes.merge(:friend_attributes => {:name => 'Joe', :role_id => 1}), [:name, :role_id, {:friend_attributes => [:name]}])
+    assert_equal "Joe", @user.friend.name
+    assert_nil @user.friend.role_id
+  end
 end
 
 class MassAssignmentPolicyTest < ActiveSupport::TestCase