Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Empty all protected attributes when integrate strong_parameters #111

Open
wants to merge 1 commit into from

2 participants

@route

For Rails 4 attr_accessible and attr_protected were extracted, so it's not problem to set these attributes with strong_parameters but for rails 3 it AR protects default attributes and it's impossible to set them even if they passed by strong_parameters

1.9.3p385 :001 > raw_parameters = { :id => 1, :type => 'MediaFile' }
 => {:id=>1, :type=>"MediaFile"} 
1.9.3p385 :002 > parameters = ActionController::Parameters.new(raw_parameters)
 => {"id"=>1, "type"=>"MediaFile"} 
1.9.3p385 :003 > gift = Gift.new(parameters.permit(:id, :type))
ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes: id, type
@route

Oh and seems like it's related to #81

@atipugin

Would be nice to see it in master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
View
10 lib/active_model/forbidden_attributes_protection.rb
@@ -1,8 +1,12 @@
+require 'active_support/concern'
+
module ActiveModel
class ForbiddenAttributes < StandardError
end
module ForbiddenAttributesProtection
+ extend ActiveSupport::Concern
+
def sanitize_for_mass_assignment(*options)
new_attributes = options.first
if !new_attributes.respond_to?(:permitted?) || new_attributes.permitted?
@@ -11,5 +15,11 @@ def sanitize_for_mass_assignment(*options)
raise ActiveModel::ForbiddenAttributes
end
end
+
+ module ClassMethods
+ def attributes_protected_by_default
+ []
+ end
+ end
end
end
View
12 test/active_model_mass_assignment_taint_protection_test.rb
@@ -1,6 +1,12 @@
require 'test_helper'
-class Person
+class Base
+ def self.attributes_protected_by_default
+ ['id', 'type']
+ end
+end
+
+class Person < Base
include ActiveModel::MassAssignmentSecurity
include ActiveModel::ForbiddenAttributesProtection
@@ -23,8 +29,8 @@ class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
test "regular attributes should still be allowed" do
assert_nothing_raised do
- assert_equal({ :a => "b" },
- Person.new.sanitize_for_mass_assignment(:a => "b"))
+ assert_equal({ :a => "b", :id => 1, :type => 'Type' },
+ Person.new.sanitize_for_mass_assignment(:a => "b", :id => 1, :type => 'Type'))
end
end
end
Something went wrong with that request. Please try again.