Merge pull request #73 from rails/better-strong-parameters-integration

Better strong parameters integration
rails · Jul 13, 2015 · 9382176 · 9382176
2 parents a276377 + cc9f7f2
commit 9382176
Show file tree

Hide file tree

Showing 8 changed files with 24 additions and 31 deletions.
diff --git a/lib/active_model/mass_assignment_security.rb b/lib/active_model/mass_assignment_security.rb
@@ -348,11 +348,11 @@ def accessible_attributes_configs
   protected
 
     def sanitize_for_mass_assignment(attributes, role = nil) #:nodoc:
-      unless _uses_mass_assignment_security
+      if _uses_mass_assignment_security
+        _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
+      else
         sanitize_forbidden_attributes(attributes)
       end
-
-      _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
     end
 
     def mass_assignment_authorizer(role) #:nodoc:

diff --git a/lib/protected_attributes.rb b/lib/protected_attributes.rb
@@ -1,5 +1,4 @@
 require "active_model/mass_assignment_security"
-require "protected_attributes/railtie" if defined? Rails::Railtie
 require "protected_attributes/version"
 
 ActiveSupport.on_load :active_record do

diff --git a/lib/protected_attributes/railtie.rb b/lib/protected_attributes/railtie.rb
diff --git a/test/ar_helper.rb b/test/ar_helper.rb
@@ -44,6 +44,10 @@
   end
   add_index :subscribers, :nick, :unique => true
 
+  create_table :books, :force => true do |t|
+    t.string :title
+  end
+
   create_table :tasks, :force => true do |t|
     t.datetime :starting
     t.datetime :ending

diff --git a/test/mass_assignment_security/strong_parameters_fallback_test.rb b/test/mass_assignment_security/strong_parameters_fallback_test.rb
@@ -4,22 +4,22 @@
 require 'action_controller/metal/strong_parameters'
 require 'active_record/mass_assignment_security'
 require 'active_model/mass_assignment_security'
-require 'models/keyboard'
+require 'models/book'
 require 'models/person'
 
 
 class StrongParametersFallbackTest < ActiveModel::TestCase
   test "AR, use strong parameters when no protection macro (attr_accessible, attr_protected) was used." do
-    untrusted_params = ActionController::Parameters.new(key_number: 6)
-
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.new untrusted_params }
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.new.attributes = untrusted_params }
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.where(key_number: 6).first_or_initialize(untrusted_params) }
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.where(key_number: 6).first_or_create(untrusted_params) }
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.where(key_number: 6).first_or_create!(untrusted_params) }
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.find_or_initialize_by(untrusted_params) }
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.find_or_create_by(untrusted_params) }
-    assert_raises(ActiveModel::ForbiddenAttributesError) { Keyboard.find_or_create_by!(untrusted_params) }
+    untrusted_params = ActionController::Parameters.new(title: 'Agile Development with Ruby on Rails')
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.new untrusted_params }
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.new.attributes = untrusted_params }
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.where(title: 'Agile Development with Ruby on Rails').first_or_initialize(untrusted_params) }
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.where(title: 'Agile Development with Ruby on Rails').first_or_create(untrusted_params) }
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.where(title: 'Agile Development with Ruby on Rails').first_or_create!(untrusted_params) }
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.find_or_initialize_by(untrusted_params) }
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.find_or_create_by(untrusted_params) }
+    assert_raises(ActiveModel::ForbiddenAttributesError) { Book.find_or_create_by!(untrusted_params) }
   end
 
   test "AR, ignore strong parameters when protection macro was used" do

diff --git a/test/models/book.rb b/test/models/book.rb
@@ -0,0 +1,2 @@
+class Book < ActiveRecord::Base
+end
diff --git a/test/models/keyboard.rb b/test/models/keyboard.rb
@@ -1,3 +1,5 @@
 class Keyboard < ActiveRecord::Base
+  attr_accessible(nil)
+
   self.primary_key = 'key_number'
 end
diff --git a/test/models/subscriber.rb b/test/models/subscriber.rb
@@ -1,4 +1,6 @@
 class Subscriber < ActiveRecord::Base
+  attr_accessible(nil)
+
   self.primary_key = 'nick'
   has_many :subscriptions
   has_many :books, :through => :subscriptions