diff options
| author | Tsutomu Kuroda <t-kuroda@oiax.jp> | 2011-01-26 11:35:02 +0900 |
|---|---|---|
| committer | Santiago Pastorino <santiago@wyeworks.com> | 2011-02-09 18:35:15 -0200 |
| commit | ad31549ab3044afc336c05243481c0f663689584 (patch) | |
| tree | 9e4d9d735616559ada74f756a18bb4facfa2104c | |
| parent | 9d8fdfec38a145e3f5074fd8dc0216630c268e32 (diff) | |
| download | rails-ad31549ab3044afc336c05243481c0f663689584.tar.gz rails-ad31549ab3044afc336c05243481c0f663689584.tar.bz2 rails-ad31549ab3044afc336c05243481c0f663689584.zip | |
Override attributes_protected_by_default when has_secure_password is called.
attr_protected should not be called, because it nullifies the
mass assignment protection that has been set by attr_accessible.
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
| -rw-r--r-- | activemodel/lib/active_model/secure_password.rb | 8 | ||||
| -rw-r--r-- | activemodel/test/cases/secure_password_test.rb | 13 | ||||
| -rw-r--r-- | activemodel/test/models/administrator.rb | 10 | ||||
| -rw-r--r-- | activemodel/test/models/visitor.rb | 9 |
4 files changed, 38 insertions, 2 deletions
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb index 7e8370a04c..957d0ddaaa 100644 --- a/activemodel/lib/active_model/secure_password.rb +++ b/activemodel/lib/active_model/secure_password.rb @@ -33,12 +33,16 @@ module ActiveModel attr_reader :password attr_accessor :password_confirmation - attr_protected(:password_digest) if respond_to?(:attr_protected) - validates_confirmation_of :password validates_presence_of :password_digest include InstanceMethodsOnActivation + + if respond_to?(:attributes_protected_by_default) + def self.attributes_protected_by_default + super + ['password_digest'] + end + end end end diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb index 79be715730..4a47a7a226 100644 --- a/activemodel/test/cases/secure_password_test.rb +++ b/activemodel/test/cases/secure_password_test.rb @@ -1,5 +1,7 @@ require 'cases/helper' require 'models/user' +require 'models/visitor' +require 'models/administrator' class SecurePasswordTest < ActiveModel::TestCase @@ -29,4 +31,15 @@ class SecurePasswordTest < ActiveModel::TestCase assert !@user.authenticate("wrong") assert @user.authenticate("secret") end + + test "visitor#password_digest should be protected against mass assignment" do + assert Visitor.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::BlackList) + assert Visitor.active_authorizer.include?(:password_digest) + end + + test "Administrator's mass_assignment_authorizer should be WhiteList" do + assert Administrator.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::WhiteList) + assert !Administrator.active_authorizer.include?(:password_digest) + assert Administrator.active_authorizer.include?(:name) + end end diff --git a/activemodel/test/models/administrator.rb b/activemodel/test/models/administrator.rb new file mode 100644 index 0000000000..a48f8b064f --- /dev/null +++ b/activemodel/test/models/administrator.rb @@ -0,0 +1,10 @@ +class Administrator + include ActiveModel::Validations + include ActiveModel::SecurePassword + include ActiveModel::MassAssignmentSecurity + + attr_accessor :name, :password_digest + attr_accessible :name + + has_secure_password +end diff --git a/activemodel/test/models/visitor.rb b/activemodel/test/models/visitor.rb new file mode 100644 index 0000000000..36c0a16688 --- /dev/null +++ b/activemodel/test/models/visitor.rb @@ -0,0 +1,9 @@ +class Visitor + include ActiveModel::Validations + include ActiveModel::SecurePassword + include ActiveModel::MassAssignmentSecurity + + has_secure_password + + attr_accessor :password_digest +end |