Permalink
Browse files

Default to using attr_accessible

Rails 3.2.3 makes using attr_accessible the default and makes using the
old sytax for audited cumbersome. This puts the onus having to add additional
options on the users that are not using attr_accessible.
  • Loading branch information...
1 parent aca71ed commit ec4732fa214ad9e7c129c36acef1ca80779d079c @ersatzryan ersatzryan committed Jul 2, 2012
View
16 README.md
@@ -174,14 +174,22 @@ company.associated_audits.last.auditable # => #<User name: "Steve Richert">
## Gotchas
-### ActiveRecord Accessible Attributes
+### Accessible Attributes
-If your model calls `attr_accessible` after `audited`, you'll need to set the `:protect => false` option. By default, Audited uses `attr_protected` to prevent malicious users from dissociating your audits, but Rails doesn't allow both `attr_protected` and `attr_accessible`.
+Audited assumes you are using `attr_accessible`, however, if you are using `attr_protected` or just going at it unprotected you will have to set the `:allow_mass_assignment => true` option.
+
+If using `attr_protected` be sure to add `audit_ids` to the list of protected attributes to prevent data loss.
+
+```ruby
+class User < ActiveRecord::Base
+ audited :allow_mass_assignment => true
+end
+```
```ruby
class User < ActiveRecord::Base
- audited :protect => false
- attr_accessible :name
+ audited :allow_mass_assignment => true
+ attr_protected :logins, :audit_ids
end
```
View
5 lib/audited/auditor.rb
@@ -47,8 +47,6 @@ def audited(options = {})
# don't allow multiple calls
return if self.included_modules.include?(Audited::Auditor::AuditedInstanceMethods)
- options = { :protect => accessible_attributes.blank? }.merge(options)
-
class_attribute :non_audited_columns, :instance_writer => false
class_attribute :auditing_enabled, :instance_writer => false
class_attribute :audit_associated_with, :instance_writer => false
@@ -68,12 +66,11 @@ def audited(options = {})
end
attr_accessor :audit_comment
- unless accessible_attributes.blank? || options[:protect]
+ unless options[:allow_mass_assignment]
attr_accessible :audit_comment
end
has_many :audits, :as => :auditable, :class_name => Audited.audit_class.name
- attr_protected :audit_ids if options[:protect]
Audited.audit_class.audited_class_names << self.to_s
after_create :audit_create if !options[:on] || (options[:on] && options[:on].include?(:create))
View
4 spec/audited/adapters/active_record/auditor_spec.rb
@@ -461,13 +461,13 @@ class Secret < ::ActiveRecord::Base
it "should not raise error when attr_accessible is set and protected is false" do
expect {
- Models::ActiveRecord::UnprotectedUser.new(:name => 'No fail!')
+ Models::ActiveRecord::AccessibleAfterDeclarationUser.new(:name => 'No fail!')
}.to_not raise_error
end
it "should not rause an error when attr_accessible is declared before audited" do
expect {
- Models::ActiveRecord::AccessibleUser.new(:name => 'No fail!')
+ Models::ActiveRecord::AccessibleAfterDeclarationUser.new(:name => 'No fail!')
}.to_not raise_error
end
end
View
4 spec/audited/adapters/mongo_mapper/auditor_spec.rb
@@ -463,13 +463,13 @@ class Secret
it "should not raise error when attr_accessible is set and protected is false" do
expect {
- Models::MongoMapper::UnprotectedUser.new(:name => 'No fail!')
+ Models::MongoMapper::AccessibleAfterDeclarationUser.new(:name => 'No fail!')
}.to_not raise_error
end
it "should not rause an error when attr_accessible is declared before audited" do
expect {
- Models::MongoMapper::AccessibleUser.new(:name => 'No fail!')
+ Models::MongoMapper::AccessibleAfterDeclarationUser.new(:name => 'No fail!')
}.to_not raise_error
end
end
View
10 spec/support/active_record/models.rb
@@ -4,7 +4,7 @@
module Models
module ActiveRecord
class User < ::ActiveRecord::Base
- audited :except => :password
+ audited :allow_mass_assignment => true, :except => :password
attr_protected :logins
@@ -18,21 +18,21 @@ class CommentRequiredUser < ::ActiveRecord::Base
audited :comment_required => true
end
- class UnprotectedUser < ::ActiveRecord::Base
+ class AccessibleAfterDeclarationUser < ::ActiveRecord::Base
self.table_name = :users
- audited :protect => false
+ audited
attr_accessible :name, :username, :password
end
- class AccessibleUser < ::ActiveRecord::Base
+ class AccessibleBeforeDeclarationUser < ::ActiveRecord::Base
self.table_name = :users
attr_accessible :name, :username, :password # declare attr_accessible before calling aaa
audited
end
class NoAttributeProtectionUser < ::ActiveRecord::Base
self.table_name = :users
- audited
+ audited :allow_mass_assignment => true
end
class UserWithAfterAudit < ::ActiveRecord::Base
View
10 spec/support/mongo_mapper/models.rb
@@ -15,7 +15,7 @@ class User
key :logins, Integer, :default => 0
timestamps!
- audited :except => :password
+ audited :allow_mass_assignment => true, :except => :password
attr_protected :logins
@@ -38,7 +38,7 @@ class CommentRequiredUser
audited :comment_required => true
end
- class UnprotectedUser
+ class AccessibleAfterDeclarationUser
include ::MongoMapper::Document
key :name, String
@@ -49,11 +49,11 @@ class UnprotectedUser
key :logins, Integer, :default => 0
timestamps!
- audited :protect => false
+ audited
attr_accessible :name, :username, :password
end
- class AccessibleUser
+ class AccessibleBeforeDeclarationUser
include ::MongoMapper::Document
key :name, String
@@ -79,7 +79,7 @@ class NoAttributeProtectionUser
key :logins, Integer, :default => 0
timestamps!
- audited
+ audited :allow_mass_assignment => true
end
class UserWithAfterAudit

1 comment on commit ec4732f

@ziemekwolski

Hey,
The generators seem to be missing from the gem, but I see them in the master branch. Did you forget to include them?

Please sign in to comment.