Permalink
Browse files

Simply blacklist Devise attributes instead of trying to be smart.

  • Loading branch information...
1 parent 2e27d1f commit 456989ca8d4600f4328d3f4284786466064ddc6f @josevalim josevalim committed Feb 15, 2012
Showing with 29 additions and 50 deletions.
  1. +1 −1 Gemfile.lock
  2. +28 −3 lib/devise/models/authenticatable.rb
  3. +0 −46 lib/devise/models/serializable.rb
View
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
- devise (2.0.1)
+ devise (2.0.2)
bcrypt-ruby (~> 3.0)
orm_adapter (~> 0.0.3)
railties (~> 3.1)
@@ -1,5 +1,4 @@
require 'devise/hooks/activatable'
-require 'devise/models/serializable'
module Devise
module Models
@@ -52,8 +51,6 @@ module Models
module Authenticatable
extend ActiveSupport::Concern
- include Devise::Models::Serializable
-
included do
class_attribute :devise_modules, :instance_writer => false
self.devise_modules ||= []
@@ -99,6 +96,34 @@ def strip_whitespace
(self.class.strip_whitespace_keys || []).each { |k| self[k].try(:strip!) }
end
+ array = %w(serializable_hash)
+ # to_xml does not call serializable_hash on 3.1
+ array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
+
+ array.each do |method|
+ class_eval <<-RUBY, __FILE__, __LINE__
+ # Redefine to_xml and serializable_hash in models for more ecure defaults.
@nbibler

nbibler Feb 15, 2012

Redefine to_xml and serializable_hash in models for more secure defaults.

+ # By default, it removes from the serializable model all attributes that
+ # are *not* accessible. You can remove this default by using :force_except
+ # and passing a new list of attributes you want to exempt. All attributes
+ # given to :except will simply add names to exempt to Devise internal list.
+ def #{method}(options=nil)
+ options ||= {}
+ options[:except] = Array(options[:except])
+
+ if options[:force_except]
+ options[:except].concat Array(options[:force_except])
+ else
+ options[:except].concat [:encrypted_password, :reset_password_token, :reset_password_send_at,
@nbibler

nbibler Feb 15, 2012

reset_password_sent_at

@josevalim

josevalim via email Feb 15, 2012

Owner
+ :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip,
+ :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at,
+ :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at, :authentication_token]
+ end
+ super(options)
+ end
+ RUBY
+ end
+
module ClassMethods
Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
:case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage)
@@ -1,46 +0,0 @@
-module Devise
- module Models
- # This module redefine to_xml and serializable_hash in models for more
- # secure defaults. By default, it removes from the serializable model
- # all attributes that are *not* accessible. You can remove this default
- # by using :force_except and passing a new list of attributes you want
- # to exempt. All attributes given to :except will simply add names to
- # exempt to Devise internal list.
- module Serializable
- extend ActiveSupport::Concern
-
- array = %w(serializable_hash)
- # to_xml does not call serializable_hash on 3.1
- array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
-
- array.each do |method|
- class_eval <<-RUBY, __FILE__, __LINE__
- def #{method}(options=nil)
- options ||= {}
- if options.key?(:force_except)
- options[:except] = options.delete(:force_except)
- super(options)
- elsif self.class.blacklist_keys?
- except = Array(options[:except])
- super(options.merge(:except => except + self.class.blacklist_keys))
- else
- super
- end
- end
- RUBY
- end
-
- module ClassMethods
- # Return true if we can retrieve blacklist keys from the record.
- def blacklist_keys?
- @has_except_keys ||= respond_to?(:accessible_attributes) && !accessible_attributes.to_a.empty?
- end
-
- # Returns keys that should be removed when serializing the record.
- def blacklist_keys
- @blacklist_keys ||= to_adapter.column_names.map(&:to_s) - accessible_attributes.to_a.map(&:to_s)
- end
- end
- end
- end
-end

0 comments on commit 456989c

Please sign in to comment.