Skip to content

Commit

Permalink
Integrate ActiveModel::ForbiddenAttributesProtection from StrongParam…
Browse files Browse the repository at this point in the history 
…eters gem
  • Loading branch information
@guilleiguaran
guilleiguaran committed Sep 17, 2012
1 parent 8850054 commit a8f6d5c
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 0 deletions.
1 change: 1 addition & 0 deletions activemodel/lib/active_model.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ module ActiveModel
autoload :Conversion
autoload :Dirty
autoload :EachValidator, 'active_model/validator'
autoload :ForbiddenAttributesProtection
autoload :Lint
autoload :MassAssignmentSecurity
autoload :Model
Expand Down
14 changes: 14 additions & 0 deletions activemodel/lib/active_model/forbidden_attributes_protection.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
module ActiveModel
class ForbiddenAttributes < StandardError
end

module ForbiddenAttributesProtection
def sanitize_for_mass_assignment(new_attributes, options = {})

This comment has been minimized.

Sign in to view

Copy link
@tenderlove

tenderlove Nov 9, 2012

Member

why do we have an unused options hash? I hate options hashes, especially unused ones. :-P

This comment has been minimized.

Sign in to view

Copy link
@carlosantoniodasilva

carlosantoniodasilva Nov 9, 2012

Member

I think that was supposed to be the role argument that exists in protected_attributes (which is also why the method got protected I think, since it's protected there?).
if !new_attributes.respond_to?(:permitted?) || (new_attributes.respond_to?(:permitted?) && new_attributes.permitted?)
super
else
raise ActiveModel::ForbiddenAttributes
end
end
end
end
32 changes: 32 additions & 0 deletions activemodel/test/cases/forbidden_attributes_protection_test.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
require 'cases/helper'
require 'models/mass_assignment_specific'

class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
test "forbidden attributes cannot be used for mass updating" do
params = { "a" => "b" }
class << params
define_method(:permitted?) { false }
end
assert_raises(ActiveModel::ForbiddenAttributes) do
SpecialPerson.new.sanitize_for_mass_assignment(params)
end
end

test "permitted attributes can be used for mass updating" do
params = { "a" => "b" }
class << params
define_method(:permitted?) { true }
end
assert_nothing_raised do
assert_equal({ "a" => "b" },
SpecialPerson.new.sanitize_for_mass_assignment(params))
end
end

test "regular attributes should still be allowed" do
assert_nothing_raised do
assert_equal({ a: "b" },
SpecialPerson.new.sanitize_for_mass_assignment(a: "b"))
end
end
end
7 changes: 7 additions & 0 deletions activemodel/test/models/mass_assignment_specific.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ class Person
public :sanitize_for_mass_assignment
end

class SpecialPerson
include ActiveModel::MassAssignmentSecurity
include ActiveModel::ForbiddenAttributesProtection

public :sanitize_for_mass_assignment
end

class Account
include ActiveModel::MassAssignmentSecurity
attr_accessible :name, :email, :as => [:default, :admin]
Expand Down

0 comments on commit a8f6d5c

Please sign in to comment.