Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Fix sanitize_for_mass_assigment when role is nil #5049

Merged
merged 1 commit into from

2 participants

@fabioyamate

There is an example in Rails documentation that suggests implementing
assign_attributes method for ActiveModel interface, that by default
sends option role with nil. Since mass_assignment_authorizer never
is called without args, we can move the default value internally.

This should be backported to Rails 3.2

@fabioyamate fabioyamate Fix sanitize_for_mass_assigment when role is nil
There is an example in Rails documentation that suggests implementing
assign_attributes method for ActiveModel interface, that by default
sends option role with nil. Since mass_assignment_authorizer never
is called without args, we can move the default value internally.
d204918
@josevalim josevalim merged commit 1c22c6f into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 15, 2012
  1. @fabioyamate

    Fix sanitize_for_mass_assigment when role is nil

    fabioyamate authored
    There is an example in Rails documentation that suggests implementing
    assign_attributes method for ActiveModel interface, that by default
    sends option role with nil. Since mass_assignment_authorizer never
    is called without args, we can move the default value internally.
This page is out of date. Refresh to see the latest.
View
6 activemodel/lib/active_model/mass_assignment_security.rb
@@ -226,12 +226,12 @@ def accessible_attributes_configs
protected
- def sanitize_for_mass_assignment(attributes, role = :default)
+ def sanitize_for_mass_assignment(attributes, role = nil)
_mass_assignment_sanitizer.sanitize(attributes, mass_assignment_authorizer(role))
end
- def mass_assignment_authorizer(role = :default)
- self.class.active_authorizer[role]
+ def mass_assignment_authorizer(role)
+ self.class.active_authorizer[role || :default]
end
end
end
View
7 activemodel/test/cases/mass_assignment_security_test.rb
@@ -19,6 +19,13 @@ def test_attribute_protection
assert_equal expected, sanitized
end
+ def test_attribute_protection_when_role_is_nil
+ user = User.new
+ expected = { "name" => "John Smith", "email" => "john@smith.com" }
+ sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true), nil)
+ assert_equal expected, sanitized
+ end
+
def test_only_moderator_role_attribute_accessible
user = SpecialUser.new
expected = { "name" => "John Smith", "email" => "john@smith.com" }
Something went wrong with that request. Please try again.