Permalink
Browse files

Merge pull request #2385 from bogdan/test_default_sanitizer2

MassAssignmentProtection: consider 'id' insensetive in StrictSanitizer
  • Loading branch information...
josevalim committed Aug 1, 2011
2 parents 860202e + b93a918 commit 6b3af028acdd8c97b7b6088117a042ddfd7f3038
@@ -44,8 +44,13 @@ def process_removed_attributes(attrs)
class StrictSanitizer < Sanitizer
def process_removed_attributes(attrs)
+ return if (attrs - insensitive_attributes).empty?
raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"
end
+
+ def insensitive_attributes
+ ['id']
+ end
end
class Error < StandardError
@@ -7,7 +7,7 @@ class SanitizerTest < ActiveModel::TestCase
class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet
def deny?(key)
- key.in?(['admin'])
+ ['admin', 'id'].include?(key)
end
end
@@ -40,4 +40,12 @@ def setup
end
end
+ test "mass assignment insensitive attributes" do
+ original_attributes = {'id' => 1, 'first_name' => 'allowed'}
+
+ assert_nothing_raised do
+ @strict_sanitizer.sanitize(original_attributes, @authorizer)
+ end
+ end
+
end
@@ -34,6 +34,11 @@
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
+ <%- unless options.skip_active_record? -%>
+ # Raise exception on mass assignment protection for ActiveRecord models
+ config.active_record.mass_assignment_sanitizer = :strict
+ <%- end -%>
+
# Print deprecation notices to the stderr
config.active_support.deprecation = :stderr
end

0 comments on commit 6b3af02

Please sign in to comment.