Skip to content
This repository
Browse code

added config.active_record.whitelist_attributes which creates an empt…

…y whitelist of attributes available for mass assignment for all models in your app
  • Loading branch information...
commit f3b9d3aba8cc0ffaca2da1c73c4ba96de2066760 1 parent b3ba368
Josh Kalderimis authored April 24, 2011
3  activerecord/lib/active_record/railtie.rb
@@ -50,6 +50,9 @@ class Railtie < Rails::Railtie
50 50
 
51 51
     initializer "active_record.set_configs" do |app|
52 52
       ActiveSupport.on_load(:active_record) do
  53
+        if app.config.active_record.delete(:whitelist_attributes)
  54
+          attr_accessible(nil)
  55
+        end
53 56
         app.config.active_record.each do |k,v|
54 57
           send "#{k}=", v
55 58
         end
2  railties/guides/source/configuring.textile
Source Rendered
@@ -229,6 +229,8 @@ h4. Configuring Active Record
229 229
 
230 230
 * +config.active_record.lock_optimistically+ controls whether ActiveRecord will use optimistic locking. By default this is +true+.
231 231
 
  232
+* +config.active_record.whitelist_attributes+ will create an empty whitelist of attributes available for mass-assignment security for all models in your app.
  233
+
232 234
 The MySQL adapter adds one additional configuration option:
233 235
 
234 236
 * +ActiveRecord::ConnectionAdapters::MysqlAdapter.emulate_booleans+ controls whether ActiveRecord will consider all +tinyint(1)+ columns in a MySQL database to be booleans. By default this is +true+.
6  railties/guides/source/security.textile
Source Rendered
@@ -459,13 +459,13 @@ When assigning attributes in Active Record using +new+, +attributes=+, or +updat
459 459
 @user.is_admin # => true
460 460
 </ruby>
461 461
 
462  
-A more paranoid technique to protect your whole project would be to enforce that all models whitelist their accessible attributes.  This can be easily achieved with a very simple initializer:
  462
+A more paranoid technique to protect your whole project would be to enforce that all models define their accessible attributes.  This can be easily achieved with a very simple application config option of:
463 463
 
464 464
 <ruby>
465  
-ActiveRecord::Base.send(:attr_accessible, nil)
  465
+config.active_record.whitelist_attributes = true
466 466
 </ruby>
467 467
 
468  
-This will create an empty whitelist of attributes available for mass assignment for all models in your app. As such, your models will need to explicitly whitelist accessible parameters by using an +attr_accessible+ declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to insert this initializer, run your tests, and expose each attribute (via +attr_accessible+) as dictated by your failing tests.
  468
+This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration.  This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via +attr_accessible+ or +attr_protected+) as dictated by your failing tests.
469 469
 
470 470
 h3. User Management
471 471
 
12  railties/test/application/configuration_test.rb
@@ -258,6 +258,18 @@ def index
258 258
       assert_equal res, last_response.body # value should be unchanged
259 259
     end
260 260
 
  261
+    test "sets all Active Record models to whitelist all attributes by default" do
  262
+      add_to_config <<-RUBY
  263
+        config.active_record.whitelist_attributes = true
  264
+      RUBY
  265
+
  266
+      require "#{app_path}/config/environment"
  267
+
  268
+      assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
  269
+                   ActiveRecord::Base.active_authorizers[:default].class
  270
+      assert_equal [""], ActiveRecord::Base.active_authorizers[:default].to_a
  271
+    end
  272
+
261 273
     test "registers interceptors with ActionMailer" do
262 274
       add_to_config <<-RUBY
263 275
         config.action_mailer.interceptors = MyMailInterceptor

2 notes on commit f3b9d3a

José Valim
Owner

May I ask why a configuration option? What is the use case?

José Valim
Owner

Ugh, nevermind. I see the main use case is to set all attributes as protected by default. +1

Please sign in to comment.
Something went wrong with that request. Please try again.