diff options
author | José Valim <jose.valim@gmail.com> | 2011-08-01 04:50:06 -0700 |
---|---|---|
committer | José Valim <jose.valim@gmail.com> | 2011-08-01 04:50:06 -0700 |
commit | 6b3af028acdd8c97b7b6088117a042ddfd7f3038 (patch) | |
tree | d70bff398e2702b7d8cea400f9b2d56be3dd28a1 | |
parent | 860202e8b2e3579402d48d7e56fa738a9529a340 (diff) | |
parent | b93a918337e99c3fe3ad059f093b1ee56b9e6a7d (diff) | |
download | rails-6b3af028acdd8c97b7b6088117a042ddfd7f3038.tar.gz rails-6b3af028acdd8c97b7b6088117a042ddfd7f3038.tar.bz2 rails-6b3af028acdd8c97b7b6088117a042ddfd7f3038.zip |
Merge pull request #2385 from bogdan/test_default_sanitizer2
MassAssignmentProtection: consider 'id' insensetive in StrictSanitizer
3 files changed, 19 insertions, 1 deletions
diff --git a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb index bb0526adc3..bbdddfb50d 100644 --- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb +++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb @@ -44,8 +44,13 @@ module ActiveModel class StrictSanitizer < Sanitizer def process_removed_attributes(attrs) + return if (attrs - insensitive_attributes).empty? raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}" end + + def insensitive_attributes + ['id'] + end end class Error < StandardError diff --git a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb index 62a6ec9c9b..676937b5e1 100644 --- a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb +++ b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb @@ -7,7 +7,7 @@ class SanitizerTest < ActiveModel::TestCase class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet def deny?(key) - key.in?(['admin']) + ['admin', 'id'].include?(key) end end @@ -40,4 +40,12 @@ class SanitizerTest < ActiveModel::TestCase end end + test "mass assignment insensitive attributes" do + original_attributes = {'id' => 1, 'first_name' => 'allowed'} + + assert_nothing_raised do + @strict_sanitizer.sanitize(original_attributes, @authorizer) + end + end + end diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt index ee068b0202..80198cc21e 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt @@ -34,6 +34,11 @@ # like if you have constraints or database-specific column types # config.active_record.schema_format = :sql + <%- unless options.skip_active_record? -%> + # Raise exception on mass assignment protection for ActiveRecord models + config.active_record.mass_assignment_sanitizer = :strict + <%- end -%> + # Print deprecation notices to the stderr config.active_support.deprecation = :stderr end |