diff options
| author | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-05-01 20:20:22 +0200 | 
|---|---|---|
| committer | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-05-01 23:08:50 +0200 | 
| commit | 7c5ae0a88fc9406857ee362c827c57eb23fd5f95 (patch) | |
| tree | 01a91ebdcfd1778a333d305bcdd2f3405e6037b4 | |
| parent | b8ccd0552473fbe0f346334e37b7d84481dd3533 (diff) | |
| download | rails-7c5ae0a88fc9406857ee362c827c57eb23fd5f95.tar.gz rails-7c5ae0a88fc9406857ee362c827c57eb23fd5f95.tar.bz2 rails-7c5ae0a88fc9406857ee362c827c57eb23fd5f95.zip | |
Added mass-assignment security :as and :without_protection support to AR.new and AR.create
| -rw-r--r-- | activerecord/lib/active_record/base.rb | 33 | ||||
| -rw-r--r-- | activerecord/test/cases/mass_assignment_security_test.rb | 138 | 
2 files changed, 142 insertions, 29 deletions
| diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index 04c12f86b6..0ba401584d 100644 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -475,10 +475,19 @@ module ActiveRecord #:nodoc:        # The +attributes+ parameter can be either be a Hash or an Array of Hashes.  These Hashes describe the        # attributes on the objects that are to be created.        # +      # +create+ respects mass-assignment security and accepts either +:as+ or +:without_protection+ options +      # in the +options+ parameter. +      #        # ==== Examples        #   # Create a single new object        #   User.create(:first_name => 'Jamie')        # +      #   # Create a single new object using the :admin mass-assignment security scope +      #   User.create({ :first_name => 'Jamie', :is_admin => true }, :as => :admin) +      # +      #   # Create a single new object bypassing mass-assignment security +      #   User.create({ :first_name => 'Jamie', :is_admin => true }, :without_protection => true) +      #        #   # Create an Array of new objects        #   User.create([{ :first_name => 'Jamie' }, { :first_name => 'Jeremy' }])        # @@ -491,11 +500,11 @@ module ActiveRecord #:nodoc:        #   User.create([{ :first_name => 'Jamie' }, { :first_name => 'Jeremy' }]) do |u|        #     u.is_admin = false        #   end -      def create(attributes = nil, &block) +      def create(attributes = nil, options = {}, &block)          if attributes.is_a?(Array) -          attributes.collect { |attr| create(attr, &block) } +          attributes.collect { |attr| create(attr, options, &block) }          else -          object = new(attributes) +          object = new(attributes, options)            yield(object) if block_given?            object.save            object @@ -1484,7 +1493,20 @@ end        # attributes but not yet saved (pass a hash with key names matching the associated table column names).        # In both instances, valid attribute keys are determined by the column names of the associated table --        # hence you can't have attributes that aren't part of the table columns. -      def initialize(attributes = nil) +      # +      # +initialize+ respects mass-assignment security and accepts either +:as+ or +:without_protection+ options +      # in the +options+ parameter. +      # +      # ==== Examples +      #   # Instantiates a single new object +      #   User.new(:first_name => 'Jamie') +      # +      #   # Instantiates a single new object using the :admin mass-assignment security scope +      #   User.new({ :first_name => 'Jamie', :is_admin => true }, :as => :admin) +      # +      #   # Instantiates a single new object bypassing mass-assignment security +      #   User.new({ :first_name => 'Jamie', :is_admin => true }, :without_protection => true) +      def initialize(attributes = nil, options = {})          @attributes = attributes_from_column_definition          @association_cache = {}          @aggregation_cache = {} @@ -1500,7 +1522,8 @@ end          set_serialized_attributes          populate_with_current_scope_attributes -        self.attributes = attributes unless attributes.nil? + +        assign_attributes(attributes, options) if attributes          result = yield self if block_given?          run_callbacks :initialize diff --git a/activerecord/test/cases/mass_assignment_security_test.rb b/activerecord/test/cases/mass_assignment_security_test.rb index 2c051bff84..67950c8068 100644 --- a/activerecord/test/cases/mass_assignment_security_test.rb +++ b/activerecord/test/cases/mass_assignment_security_test.rb @@ -7,6 +7,12 @@ require 'models/person'  class MassAssignmentSecurityTest < ActiveRecord::TestCase +  def setup +    # another AR test modifies the columns which causes issues with create calls +    TightPerson.reset_column_information +    LoosePerson.reset_column_information +  end +    def test_customized_primary_key_remains_protected      subscriber = Subscriber.new(:nick => 'webster123', :name => 'nice try')      assert_nil subscriber.id @@ -35,60 +41,114 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase      p = LoosePerson.new      p.assign_attributes(attributes_hash) -    assert_equal nil,    p.id -    assert_equal 'Josh', p.first_name -    assert_equal 'm',    p.gender -    assert_equal nil,    p.comments +    assert_default_attributes(p)    end    def test_assign_attributes_skips_mass_assignment_security_protection_when_without_protection_is_used      p = LoosePerson.new      p.assign_attributes(attributes_hash, :without_protection => true) -    assert_equal 5, p.id -    assert_equal 'Josh', p.first_name -    assert_equal 'm', p.gender -    assert_equal 'rides a sweet bike', p.comments +    assert_all_attributes(p)    end    def test_assign_attributes_with_default_scope_and_attr_protected_attributes      p = LoosePerson.new      p.assign_attributes(attributes_hash, :as => :default) -    assert_equal nil, p.id -    assert_equal 'Josh', p.first_name -    assert_equal 'm', p.gender -    assert_equal nil, p.comments +    assert_default_attributes(p)    end    def test_assign_attributes_with_admin_scope_and_attr_protected_attributes      p = LoosePerson.new      p.assign_attributes(attributes_hash, :as => :admin) -    assert_equal nil, p.id -    assert_equal 'Josh', p.first_name -    assert_equal 'm', p.gender -    assert_equal 'rides a sweet bike', p.comments +    assert_admin_attributes(p)    end    def test_assign_attributes_with_default_scope_and_attr_accessible_attributes      p = TightPerson.new      p.assign_attributes(attributes_hash, :as => :default) -    assert_equal nil, p.id -    assert_equal 'Josh', p.first_name -    assert_equal 'm', p.gender -    assert_equal nil, p.comments +    assert_default_attributes(p)    end    def test_assign_attributes_with_admin_scope_and_attr_accessible_attributes      p = TightPerson.new      p.assign_attributes(attributes_hash, :as => :admin) -    assert_equal nil, p.id -    assert_equal 'Josh', p.first_name -    assert_equal 'm', p.gender -    assert_equal 'rides a sweet bike', p.comments +    assert_admin_attributes(p) +  end + +  def test_new_with_attr_accessible_attributes +    p = TightPerson.new(attributes_hash) + +    assert_default_attributes(p) +  end + +  def test_new_with_attr_protected_attributes +    p = LoosePerson.new(attributes_hash) + +    assert_default_attributes(p) +  end + +  def test_create_with_attr_accessible_attributes +    p = TightPerson.create(attributes_hash) + +    assert_default_attributes(p, true) +  end + +  def test_create_with_attr_protected_attributes +    p = LoosePerson.create(attributes_hash) + +    assert_default_attributes(p, true) +  end + +  def test_new_with_admin_scope_with_attr_accessible_attributes +    p = TightPerson.new(attributes_hash, :as => :admin) + +    assert_admin_attributes(p) +  end + +  def test_new_with_admin_scope_with_attr_protected_attributes +    p = LoosePerson.new(attributes_hash, :as => :admin) + +    assert_admin_attributes(p) +  end + +  def test_create_with_admin_scope_with_attr_accessible_attributes +    p = TightPerson.create(attributes_hash, :as => :admin) + +    assert_admin_attributes(p, true) +  end + +  def test_create_with_admin_scope_with_attr_protected_attributes +    p = LoosePerson.create(attributes_hash, :as => :admin) + +    assert_admin_attributes(p, true) +  end + +  def test_new_with_without_protection_with_attr_accessible_attributes +    p = TightPerson.new(attributes_hash, :without_protection => true) + +    assert_all_attributes(p) +  end + +  def test_new_with_without_protection_with_attr_protected_attributes +    p = LoosePerson.new(attributes_hash, :without_protection => true) + +    assert_all_attributes(p) +  end + +  def test_create_with_without_protection_with_attr_accessible_attributes +    p = TightPerson.create(attributes_hash, :without_protection => true) + +    assert_all_attributes(p) +  end + +  def test_create_with_without_protection_with_attr_protected_attributes +    p = LoosePerson.create(attributes_hash, :without_protection => true) + +    assert_all_attributes(p)    end    def test_protection_against_class_attribute_writers @@ -111,4 +171,34 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase        :comments => 'rides a sweet bike'      }    end + +  def assert_default_attributes(person, create = false) +    unless create +      assert_nil person.id +    else +      assert !!person.id +    end +    assert_equal 'Josh', person.first_name +    assert_equal 'm',    person.gender +    assert_nil person.comments +  end + +  def assert_admin_attributes(person, create = false) +    unless create +      assert_nil person.id +    else +      assert !!person.id +    end +    assert_equal 'Josh', person.first_name +    assert_equal 'm',    person.gender +    assert_equal 'rides a sweet bike', person.comments +  end + +  def assert_all_attributes(person) +    assert_equal 5, person.id +    assert_equal 'Josh', person.first_name +    assert_equal 'm',    person.gender +    assert_equal 'rides a sweet bike', person.comments +  end +  end
\ No newline at end of file | 
