Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

protecting attributes from mass assignment by default

  • Loading branch information...
commit 145b77b070817e445591ad5b6b23aa37b7f6042a 1 parent e9c0c6f
Ryan Bates authored June 01, 2009
25  lib/trusted_params/active_record_additions.rb
@@ -2,6 +2,18 @@ module TrustedParams
2 2
   module ActiveRecordAdditions
3 3
     def self.included(base)
4 4
       base.extend(ClassMethods)
  5
+      base.attr_accessible nil
  6
+    end
  7
+    
  8
+    def remove_attributes_protected_from_mass_assignment(attributes)
  9
+      unless self.class.accessible_attributes.include? "all"
  10
+        attributes.each do |key, value|
  11
+          unless self.class.accessible_attributes.include? key.to_s
  12
+            raise ActiveRecord::UnavailableAttributeAssignmentError, "attribute \"#{key}\" is protected from mass assignment"
  13
+          end
  14
+        end
  15
+      end
  16
+      attributes
5 17
     end
6 18
     
7 19
     module ClassMethods
@@ -12,7 +24,12 @@ def attr_protected(*args)
12 24
   end
13 25
 end
14 26
 
15  
-# TODO for some reason this doesn't work for overriding methods
16  
-# ActiveRecord::Base.class_eval do
17  
-#   include TrustedParams::ActiveRecordAdditions
18  
-# end
  27
+module ActiveRecord
  28
+  # TODO for some reason this doesn't work for overriding methods
  29
+  # Base.class_eval do
  30
+  #   include TrustedParams::ActiveRecordAdditions
  31
+  # end
  32
+  
  33
+  class UnavailableAttributeAssignmentError < ActiveRecordError
  34
+  end
  35
+end
6  spec/spec_helper.rb
@@ -18,17 +18,15 @@ def self.paginate(options)
18 18
     self.paginate_options = options
19 19
   end
20 20
   
21  
-  def self.add_column(name, column_type = :string)
  21
+  def self.add_column(name)
22 22
     returning ActiveRecord::ConnectionAdapters::Column.new(name, nil) do |column|
23  
-      def column.type
24  
-        column_type
25  
-      end
26 23
       @columns ||= []
27 24
       @columns << column
28 25
     end
29 26
   end
30 27
   
31 28
   def self.reset_columns
  29
+    write_inheritable_attribute(:attr_accessible, [])
32 30
     @columns = []
33 31
   end
34 32
   
18  spec/trusted_params/active_record_additions_spec.rb
@@ -4,9 +4,27 @@
4 4
   before(:each) do
5 5
     MockedModel.reset_columns
6 6
     MockedModel.add_column(:name)
  7
+    MockedModel.add_column(:content)
7 8
   end
8 9
   
9 10
   it "should not allow one to set attr_protected" do
10 11
     lambda { MockedModel.attr_protected(:foo) }.should raise_error
11 12
   end
  13
+  
  14
+  it "should not be able to mass assign attributes by default" do
  15
+    lambda { MockedModel.new(:name => "foo") }.should raise_error(ActiveRecord::UnavailableAttributeAssignmentError)
  16
+  end
  17
+  
  18
+  it "should be able to mass assign any attribute with :all" do
  19
+    MockedModel.attr_accessible :all
  20
+    m = MockedModel.new(:name => "foo")
  21
+    m.name.should == "foo"
  22
+  end
  23
+  
  24
+  it "should be able to mass assign specific attributes" do
  25
+    MockedModel.attr_accessible :name
  26
+    user = MockedModel.new(:name => "foo")
  27
+    user.name.should == "foo"
  28
+    lambda { MockedModel.new(:content => "foo") }.should raise_error(ActiveRecord::UnavailableAttributeAssignmentError)
  29
+  end
12 30
 end

0 notes on commit 145b77b

Please sign in to comment.
Something went wrong with that request. Please try again.