Permalink
Browse files

Merge branch 'mass-assigment-fix-for-empty-attr-accessible' of https:…

  • Loading branch information...
2 parents 4b9b46c + 9347fe8 commit f3f42ba48660c37aa8bed036591134ef06096aaa @mike-burns mike-burns committed Jun 28, 2011
@@ -7,6 +7,10 @@ module ActiveModel # :nodoc:
# it { should_not allow_mass_assignment_of(:password) }
# it { should allow_mass_assignment_of(:first_name) }
#
+ # In Rails 3.1 you can check role as well:
+ #
+ # it { should allow_mass_assigment_of(:first_name).as(:admin) }
+ #
def allow_mass_assignment_of(value)
AllowMassAssignmentOfMatcher.new(value)
end
@@ -17,8 +21,15 @@ def initialize(attribute)
@attribute = attribute.to_s
end
+ def as(role)
+ raise "You can specify role only in Rails 3.1 or greater" unless rails_3_1?
+ @role = role
+ self
+ end
+
def matches?(subject)
@subject = subject
+ @role ||= :default
if attr_mass_assignable?
if whitelisting?
@negative_failure_message = "#{@attribute} was made accessible"
@@ -61,23 +72,29 @@ def accessible_attributes
end
def whitelisting?
- !accessible_attributes.empty?
+ authorizer.kind_of?(::ActiveModel::MassAssignmentSecurity::WhiteList)
end
def attr_mass_assignable?
- if whitelisting?
- accessible_attributes.include?(@attribute)
+ !authorizer.deny?(@attribute)
+ end
+
+ def authorizer
+ if rails_3_1?
+ @subject.class.active_authorizer[@role]
else
- !protected_attributes.include?(@attribute)
+ @subject.class.active_authorizer
end
end
def class_name
@subject.class.name
end
+ def rails_3_1?
+ ::ActiveModel::VERSION::MAJOR == 3 && ::ActiveModel::VERSION::MINOR >= 1
+ end
end
-
end
end
end
@@ -71,4 +71,35 @@
end
end
+ context "an attribute on a class with all protected attributes" do
+ before do
+ define_model :example, :attr => :string do
+ attr_accessible
+ end
+ @model = Example.new
+ end
+
+ it "should reject being mass-assignable" do
+ @model.should_not allow_mass_assignment_of(:attr)
+ end
+ end
+
+ if ::ActiveModel::VERSION::MAJOR == 3 && ::ActiveModel::VERSION::MINOR >= 1
+ context "an attribute included in the mass-assignment whitelist for admin role only" do
+ before do
+ define_model :example, :attr => :string do
+ attr_accessible :attr, :as => :admin
+ end
+ @model = Example.new
+ end
+
+ it "should reject being mass-assignable" do
+ @model.should_not allow_mass_assignment_of(:attr)
+ end
+
+ it "should accept being mass-assignable for admin" do
+ @model.should allow_mass_assignment_of(:attr).as(:admin)
+ end
+ end
+ end
end

0 comments on commit f3f42ba

Please sign in to comment.