add allow_active_record_expects option to ActionWebService::API::Base,

but set the default to false so people don't use it without thinking about
the consequences.


git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@815 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

actionwebservice/lib/action_web_service/api/base.rb

@@ -13,6 +13,12 @@ class Base
       # Whether to transform the public API method names into camel-cased names 
       class_inheritable_option :inflect_names, true
 
+      # Whether to allow ActiveRecord::Base models in <tt>:expects</tt>.
+      # The default is +false+, you should be aware of the security implications
+      # of allowing this, and ensure that you don't allow remote callers to
+      # easily overwrite data they should not have access to.
+      class_inheritable_option :allow_active_record_expects, false
+
       # If present, the name of a method to call when the remote caller
       # tried to call a nonexistent method. Semantically equivalent to
       # +method_missing+.
@@ -64,7 +70,7 @@ def api_method(name, options={})
             expects.each do |param|
               klass = WS::BaseTypes.canonical_param_type_class(param)
               klass = klass[0] if klass.is_a?(Array)
-              if klass.ancestors.include?(ActiveRecord::Base)
+              if klass.ancestors.include?(ActiveRecord::Base) && !allow_active_record_expects
                 raise(ActionWebServiceError, "ActiveRecord model classes not allowed in :expects")
               end
             end

actionwebservice/test/api_test.rb

@@ -56,6 +56,10 @@ def test_api_errors
         api_method :test, :expects => [ActiveRecord::Base]
       end
     end
+    klass = Class.new(ActionWebService::API::Base) do
+      allow_active_record_expects true
+      api_method :test2, :expects => [ActiveRecord::Base]
+    end
     assert_raises(ActionWebService::ActionWebServiceError) do
       klass = Class.new(ActionWebService::API::Base) do
         api_method :test, :invalid => [:int]