aboutsummaryrefslogblamecommitdiffstats
path: root/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
blob: 676937b5e19c9eb722cdf77ce85e365f8c81d724 (plain) (tree)
1
2
3
4
5
6
7
8
9
                      
                
                                                  
 
                                           
                       
 
                                                                       
                  
                                   
       


           

                                                                                      
                                



                                                                            
                                                                             




                                                                             
                                                              

                                                                            
                                 
                                                                
                                                                                     

     






                                                                            







                                                                  
   
require "cases/helper"
require 'logger'
require 'active_support/core_ext/object/inclusion'

class SanitizerTest < ActiveModel::TestCase
  attr_accessor :logger

  class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet
    def deny?(key)
      ['admin', 'id'].include?(key)
    end
  end

  def setup
    @logger_sanitizer = ActiveModel::MassAssignmentSecurity::LoggerSanitizer.new(self)
    @strict_sanitizer = ActiveModel::MassAssignmentSecurity::StrictSanitizer.new(self)
    @authorizer = Authorizer.new
  end

  test "sanitize attributes" do
    original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
    attributes = @logger_sanitizer.sanitize(original_attributes, @authorizer)

    assert attributes.key?('first_name'), "Allowed key shouldn't be rejected"
    assert !attributes.key?('admin'),     "Denied key should be rejected"
  end

  test "debug mass assignment removal with LoggerSanitizer" do
    original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
    log = StringIO.new
    self.logger = Logger.new(log)
    @logger_sanitizer.sanitize(original_attributes, @authorizer)
    assert_match(/admin/, log.string, "Should log removed attributes: #{log.string}")
  end

  test "debug mass assignment removal with StrictSanitizer" do
    original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
    assert_raise ActiveModel::MassAssignmentSecurity::Error do
      @strict_sanitizer.sanitize(original_attributes, @authorizer)
    end
  end

  test "mass assignment insensitive attributes" do
    original_attributes = {'id' => 1, 'first_name' => 'allowed'}

    assert_nothing_raised do
      @strict_sanitizer.sanitize(original_attributes, @authorizer)
    end
  end

end