aboutsummaryrefslogtreecommitdiffstats
path: root/activemodel
diff options
context:
space:
mode:
authorJosé Valim <jose.valim@plataformatec.com.br>2012-02-15 05:21:20 -0800
committerJosé Valim <jose.valim@gmail.com>2012-02-15 14:24:35 +0100
commita1b9acb72ec4b3a3d11f77efe64effb79e58b45d (patch)
treead7ca8bb436c93035daf0ae45f92a22b3c5355b8 /activemodel
parent201e67ed365c797795df09fcb8a7bc7ecfdbb30d (diff)
downloadrails-a1b9acb72ec4b3a3d11f77efe64effb79e58b45d.tar.gz
rails-a1b9acb72ec4b3a3d11f77efe64effb79e58b45d.tar.bz2
rails-a1b9acb72ec4b3a3d11f77efe64effb79e58b45d.zip
Merge pull request #5049 from fabioyamate/master
Fix sanitize_for_mass_assigment when role is nil
Diffstat (limited to 'activemodel')
-rw-r--r--activemodel/lib/active_model/mass_assignment_security.rb6
-rw-r--r--activemodel/test/cases/mass_assignment_security_test.rb7
2 files changed, 10 insertions, 3 deletions
diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb
index 3f9feb7631..e1fb1e3231 100644
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -224,12 +224,12 @@ module ActiveModel
protected
- def sanitize_for_mass_assignment(attributes, role = :default)
+ def sanitize_for_mass_assignment(attributes, role = nil)
_mass_assignment_sanitizer.sanitize(attributes, mass_assignment_authorizer(role))
end
- def mass_assignment_authorizer(role = :default)
- self.class.active_authorizer[role]
+ def mass_assignment_authorizer(role)
+ self.class.active_authorizer[role || :default]
end
end
end
diff --git a/activemodel/test/cases/mass_assignment_security_test.rb b/activemodel/test/cases/mass_assignment_security_test.rb
index be07e59a2f..a197dbe748 100644
--- a/activemodel/test/cases/mass_assignment_security_test.rb
+++ b/activemodel/test/cases/mass_assignment_security_test.rb
@@ -19,6 +19,13 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase
assert_equal expected, sanitized
end
+ def test_attribute_protection_when_role_is_nil
+ user = User.new
+ expected = { "name" => "John Smith", "email" => "john@smith.com" }
+ sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true), nil)
+ assert_equal expected, sanitized
+ end
+
def test_only_moderator_role_attribute_accessible
user = SpecialUser.new
expected = { "name" => "John Smith", "email" => "john@smith.com" }