Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix sanitize_for_mass_assigment when role is nil

There is an example in Rails documentation that suggests implementing
assign_attributes method for ActiveModel interface, that by default
sends option role with nil. Since mass_assignment_authorizer never
is called without args, we can move the default value internally.
  • Loading branch information...
commit d204918f9190afcf5f3f53adb957ca15aa644704 1 parent 2f9e477
@fabioyamate fabioyamate authored
View
6 activemodel/lib/active_model/mass_assignment_security.rb
@@ -226,12 +226,12 @@ def accessible_attributes_configs
protected
- def sanitize_for_mass_assignment(attributes, role = :default)
+ def sanitize_for_mass_assignment(attributes, role = nil)
_mass_assignment_sanitizer.sanitize(attributes, mass_assignment_authorizer(role))
end
- def mass_assignment_authorizer(role = :default)
- self.class.active_authorizer[role]
+ def mass_assignment_authorizer(role)
+ self.class.active_authorizer[role || :default]
end
end
end
View
7 activemodel/test/cases/mass_assignment_security_test.rb
@@ -19,6 +19,13 @@ def test_attribute_protection
assert_equal expected, sanitized
end
+ def test_attribute_protection_when_role_is_nil
+ user = User.new
+ expected = { "name" => "John Smith", "email" => "john@smith.com" }
+ sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true), nil)
+ assert_equal expected, sanitized
+ end
+
def test_only_moderator_role_attribute_accessible
user = SpecialUser.new
expected = { "name" => "John Smith", "email" => "john@smith.com" }
Please sign in to comment.
Something went wrong with that request. Please try again.