aboutsummaryrefslogtreecommitdiffstats
path: root/activemodel
diff options
context:
space:
mode:
authorJosé Valim <jose.valim@gmail.com>2011-08-01 04:50:06 -0700
committerJosé Valim <jose.valim@gmail.com>2011-08-01 04:50:06 -0700
commit6b3af028acdd8c97b7b6088117a042ddfd7f3038 (patch)
treed70bff398e2702b7d8cea400f9b2d56be3dd28a1 /activemodel
parent860202e8b2e3579402d48d7e56fa738a9529a340 (diff)
parentb93a918337e99c3fe3ad059f093b1ee56b9e6a7d (diff)
downloadrails-6b3af028acdd8c97b7b6088117a042ddfd7f3038.tar.gz
rails-6b3af028acdd8c97b7b6088117a042ddfd7f3038.tar.bz2
rails-6b3af028acdd8c97b7b6088117a042ddfd7f3038.zip
Merge pull request #2385 from bogdan/test_default_sanitizer2
MassAssignmentProtection: consider 'id' insensetive in StrictSanitizer
Diffstat (limited to 'activemodel')
-rw-r--r--activemodel/lib/active_model/mass_assignment_security/sanitizer.rb5
-rw-r--r--activemodel/test/cases/mass_assignment_security/sanitizer_test.rb10
2 files changed, 14 insertions, 1 deletions
diff --git a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
index bb0526adc3..bbdddfb50d 100644
--- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
@@ -44,8 +44,13 @@ module ActiveModel
class StrictSanitizer < Sanitizer
def process_removed_attributes(attrs)
+ return if (attrs - insensitive_attributes).empty?
raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"
end
+
+ def insensitive_attributes
+ ['id']
+ end
end
class Error < StandardError
diff --git a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
index 62a6ec9c9b..676937b5e1 100644
--- a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
+++ b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
@@ -7,7 +7,7 @@ class SanitizerTest < ActiveModel::TestCase
class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet
def deny?(key)
- key.in?(['admin'])
+ ['admin', 'id'].include?(key)
end
end
@@ -40,4 +40,12 @@ class SanitizerTest < ActiveModel::TestCase
end
end
+ test "mass assignment insensitive attributes" do
+ original_attributes = {'id' => 1, 'first_name' => 'allowed'}
+
+ assert_nothing_raised do
+ @strict_sanitizer.sanitize(original_attributes, @authorizer)
+ end
+ end
+
end