MassAssignmentSecurity: add ability to specify your own sanitizer #1334

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
3 participants
@bogdan
Contributor

bogdan commented May 26, 2011

With respect to discussion:
#1320

Added an ability to specify your own behavior on mass assingment
protection, controlled by option:

ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer

I hope this is right way to do it. Because I don't understand how the customizations can be done without monkey patch or configuration option.

BTW code seems more clean now even without customization benefits.

If there is still something I need to fix please let me know.

MassAssignmentSecurity: add ability to specify your own sanitizer
Added an ability to specify your own behavior on mass assingment
protection, controlled by option:
ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer
@josevalim

This comment has been minimized.

Show comment Hide comment
@josevalim

josevalim May 26, 2011

Contributor

I will review properly when I get home, but this looks good!

Contributor

josevalim commented May 26, 2011

I will review properly when I get home, but this looks good!

@josevalim

This comment has been minimized.

Show comment Hide comment
@josevalim

josevalim May 26, 2011

Contributor

Merged (github did not close this automatically). Thanks for your work, I think the final solution is quite good.

Contributor

josevalim commented May 26, 2011

Merged (github did not close this automatically). Thanks for your work, I think the final solution is quite good.

@josevalim josevalim closed this May 26, 2011

arunagw pushed a commit to arunagw/rails that referenced this pull request May 26, 2011

Merge pull request #1334 from bogdan/callback
MassAssignmentSecurity: add ability to specify your own sanitizer
@@ -14,6 +12,10 @@ module ActiveModel
super(remove_multiparameter_id(key))
end
+ def deny?(key)
+ raise NotImplementedError, "#deny?(key) suppose to be overwritten"

This comment has been minimized.

Show comment Hide comment
@dasch

dasch May 26, 2011

Contributor

It's "supposed" :-)

@dasch

dasch May 26, 2011

Contributor

It's "supposed" :-)

This comment has been minimized.

Show comment Hide comment
@bogdan

bogdan May 27, 2011

Contributor

This is my Java habit :)

@bogdan

bogdan May 27, 2011

Contributor

This is my Java habit :)

@bogdan

This comment has been minimized.

Show comment Hide comment
@bogdan

bogdan May 27, 2011

Contributor

My plan now is to make StrictSanitizer that will raise ActiveModel::MassAssingmentSecurity::Error and use it by default in development and test envs like:

R3config::Application.configure do
....
config.active_record.mass_assingment_sanitizer = ActiveModel::MassAssignmentProtection::StrictSanitizer.new
....
end

That do you think, guys?

Contributor

bogdan commented May 27, 2011

My plan now is to make StrictSanitizer that will raise ActiveModel::MassAssingmentSecurity::Error and use it by default in development and test envs like:

R3config::Application.configure do
....
config.active_record.mass_assingment_sanitizer = ActiveModel::MassAssignmentProtection::StrictSanitizer.new
....
end

That do you think, guys?

@josevalim

This comment has been minimized.

Show comment Hide comment
@josevalim

josevalim May 27, 2011

Contributor

I think it is a good idea, but, if we are going to have a main API for that, we should support symbols to be given:

config.active_record.mass_assignment_sanitizer = :strict

And then we would do a constant lookup for StrictSanitizer in the current class, what do you think? And also what do you think about renaming DefaultSanitizer to LoggerSanitizer?

Contributor

josevalim commented May 27, 2011

I think it is a good idea, but, if we are going to have a main API for that, we should support symbols to be given:

config.active_record.mass_assignment_sanitizer = :strict

And then we would do a constant lookup for StrictSanitizer in the current class, what do you think? And also what do you think about renaming DefaultSanitizer to LoggerSanitizer?

@bogdan

This comment has been minimized.

Show comment Hide comment
@bogdan

bogdan May 27, 2011

Contributor

Agreed with everything.

Using symbols in config is good idea.

Contributor

bogdan commented May 27, 2011

Agreed with everything.

Using symbols in config is good idea.

jake3030 pushed a commit to jake3030/rails that referenced this pull request Jun 28, 2011

Ensure calculations respect scoped :select [#1334 state:resolved]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment