diff options
| author | Leon Breedt <bitserf@gmail.com> | 2005-02-28 22:42:24 +0000 |
|---|---|---|
| committer | Leon Breedt <bitserf@gmail.com> | 2005-02-28 22:42:24 +0000 |
| commit | 6b93952ae6866a82adccc3a8c8d022f3ac674c59 (patch) | |
| tree | cb66f01dcbce8d64fc62505141b7252d3707c5b8 /actionwebservice | |
| parent | 4ba8d08481316e764181db09bba4f7fb2e65807a (diff) | |
| download | rails-6b93952ae6866a82adccc3a8c8d022f3ac674c59.tar.gz rails-6b93952ae6866a82adccc3a8c8d022f3ac674c59.tar.bz2 rails-6b93952ae6866a82adccc3a8c8d022f3ac674c59.zip | |
add allow_active_record_expects option to ActionWebService::API::Base,
but set the default to false so people don't use it without thinking about
the consequences.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@815 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionwebservice')
| -rw-r--r-- | actionwebservice/lib/action_web_service/api/base.rb | 8 | ||||
| -rw-r--r-- | actionwebservice/test/api_test.rb | 4 |
2 files changed, 11 insertions, 1 deletions
diff --git a/actionwebservice/lib/action_web_service/api/base.rb b/actionwebservice/lib/action_web_service/api/base.rb index 952c6baa0d..c30c833f9d 100644 --- a/actionwebservice/lib/action_web_service/api/base.rb +++ b/actionwebservice/lib/action_web_service/api/base.rb @@ -13,6 +13,12 @@ module ActionWebService # :nodoc: # Whether to transform the public API method names into camel-cased names class_inheritable_option :inflect_names, true + # Whether to allow ActiveRecord::Base models in <tt>:expects</tt>. + # The default is +false+, you should be aware of the security implications + # of allowing this, and ensure that you don't allow remote callers to + # easily overwrite data they should not have access to. + class_inheritable_option :allow_active_record_expects, false + # If present, the name of a method to call when the remote caller # tried to call a nonexistent method. Semantically equivalent to # +method_missing+. @@ -64,7 +70,7 @@ module ActionWebService # :nodoc: expects.each do |param| klass = WS::BaseTypes.canonical_param_type_class(param) klass = klass[0] if klass.is_a?(Array) - if klass.ancestors.include?(ActiveRecord::Base) + if klass.ancestors.include?(ActiveRecord::Base) && !allow_active_record_expects raise(ActionWebServiceError, "ActiveRecord model classes not allowed in :expects") end end diff --git a/actionwebservice/test/api_test.rb b/actionwebservice/test/api_test.rb index a84726f0b5..a3679335fc 100644 --- a/actionwebservice/test/api_test.rb +++ b/actionwebservice/test/api_test.rb @@ -56,6 +56,10 @@ class TC_API < Test::Unit::TestCase api_method :test, :expects => [ActiveRecord::Base] end end + klass = Class.new(ActionWebService::API::Base) do + allow_active_record_expects true + api_method :test2, :expects => [ActiveRecord::Base] + end assert_raises(ActionWebService::ActionWebServiceError) do klass = Class.new(ActionWebService::API::Base) do api_method :test, :invalid => [:int] |