Skip to content
Browse files

Whitelist all attribute assignment by default.

Change the default for newly generated applications to whitelist all attribute assignment.  Also update the generated model classes so users are reminded of the importance of attr_accessible.
  • Loading branch information...
1 parent 864d755 commit 06a3a8a458e70c1b6531ac53c57a302b162fd736 @NZKoz NZKoz committed
View
4 activerecord/lib/rails/generators/active_record/model/model_generator.rb
@@ -30,6 +30,10 @@ def attributes_with_index
attributes.select { |a| a.has_index? || (a.reference? && options[:indexes]) }
end
+ def accessible_attributes
+ attributes.reject(&:reference?)
+ end
+
hook_for :test_framework
protected
View
5 activerecord/lib/rails/generators/active_record/model/templates/model.rb
@@ -3,5 +3,10 @@ class <%= class_name %> < <%= parent_class_name.classify %>
<% attributes.select {|attr| attr.reference? }.each do |attribute| -%>
belongs_to :<%= attribute.name %>
<% end -%>
+<% if !accessible_attributes.empty? -%>
+ attr_accessible <%= accessible_attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>
+<% else -%>
+ # attr_accessible :title, :body
+<% end -%>
end
<% end -%>
View
2 railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -58,7 +58,7 @@ class Application < Rails::Application
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
- # config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = true
<% unless options.skip_sprockets? -%>
# Enable the asset pipeline
View
10 railties/test/generators/model_generator_test.rb
@@ -319,4 +319,14 @@ def test_index_is_skipped_for_references_association
end
end
end
+
+ def test_attr_accessible_added_with_non_reference_attributes
+ run_generator
+ assert_file 'app/models/account.rb', /attr_accessible :age, :name/
+ end
+
+ def test_attr_accessible_added_with_comments_when_no_attributes_present
+ run_generator ["Account"]
+ assert_file 'app/models/account.rb', /# attr_accessible :title, :body/
+ end
end

0 comments on commit 06a3a8a

Please sign in to comment.
Something went wrong with that request. Please try again.