Permalink
Browse files

Override attributes_protected_by_default when has_secure_password is …

…called.

attr_protected should not be called, because it nullifies the
mass assignment protection that has been set by attr_accessible.

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
  • Loading branch information...
kuroda authored and spastorino committed Jan 26, 2011
1 parent 9d8fdfe commit ad31549ab3044afc336c05243481c0f663689584
@@ -33,12 +33,16 @@ def has_secure_password
attr_reader :password
attr_accessor :password_confirmation
- attr_protected(:password_digest) if respond_to?(:attr_protected)
-
validates_confirmation_of :password
validates_presence_of :password_digest
include InstanceMethodsOnActivation
+
+ if respond_to?(:attributes_protected_by_default)
+ def self.attributes_protected_by_default
+ super + ['password_digest']
+ end
+ end
end
end
@@ -1,5 +1,7 @@
require 'cases/helper'
require 'models/user'
+require 'models/visitor'
+require 'models/administrator'
class SecurePasswordTest < ActiveModel::TestCase
@@ -29,4 +31,15 @@ class SecurePasswordTest < ActiveModel::TestCase
assert !@user.authenticate("wrong")
assert @user.authenticate("secret")
end
+
+ test "visitor#password_digest should be protected against mass assignment" do
+ assert Visitor.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::BlackList)
+ assert Visitor.active_authorizer.include?(:password_digest)
+ end
+
+ test "Administrator's mass_assignment_authorizer should be WhiteList" do
+ assert Administrator.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::WhiteList)
+ assert !Administrator.active_authorizer.include?(:password_digest)
+ assert Administrator.active_authorizer.include?(:name)
+ end
end
@@ -0,0 +1,10 @@
+class Administrator
+ include ActiveModel::Validations
+ include ActiveModel::SecurePassword
+ include ActiveModel::MassAssignmentSecurity
+
+ attr_accessor :name, :password_digest
+ attr_accessible :name
+
+ has_secure_password
+end
@@ -0,0 +1,9 @@
+class Visitor
+ include ActiveModel::Validations
+ include ActiveModel::SecurePassword
+ include ActiveModel::MassAssignmentSecurity
+
+ has_secure_password
+
+ attr_accessor :password_digest
+end

0 comments on commit ad31549

Please sign in to comment.