diff options
author | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-05-08 16:42:00 +0200 |
---|---|---|
committer | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-05-08 16:43:29 +0200 |
commit | b2451f4a7fa4fe20dff278edd33fe8a4b1d65be7 (patch) | |
tree | 305ee339919672e28c9937b76420300de7221b0f /activemodel | |
parent | 9727dd1e385aaa188a198d86102a840ebcc625e8 (diff) | |
download | rails-b2451f4a7fa4fe20dff278edd33fe8a4b1d65be7.tar.gz rails-b2451f4a7fa4fe20dff278edd33fe8a4b1d65be7.tar.bz2 rails-b2451f4a7fa4fe20dff278edd33fe8a4b1d65be7.zip |
renamed mass-assignment scopes to roles, updated code, tests, docs and security guide
Diffstat (limited to 'activemodel')
-rw-r--r-- | activemodel/lib/active_model/mass_assignment_security.rb | 46 | ||||
-rw-r--r-- | activemodel/test/cases/mass_assignment_security_test.rb | 4 |
2 files changed, 25 insertions, 25 deletions
diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb index 01eef762fd..483b577681 100644 --- a/activemodel/lib/active_model/mass_assignment_security.rb +++ b/activemodel/lib/active_model/mass_assignment_security.rb @@ -35,17 +35,17 @@ module ActiveModel # protected # # def account_params - # scope = admin ? :admin : :default - # sanitize_for_mass_assignment(params[:account], scope) + # role = admin ? :admin : :default + # sanitize_for_mass_assignment(params[:account], role) # end # # end # module ClassMethods # Attributes named in this macro are protected from mass-assignment - # whenever attributes are sanitized before assignment. A scope for the - # attributes is optional, if no scope is provided then :default is used. - # A scope can be defined by using the :as option. + # whenever attributes are sanitized before assignment. A role for the + # attributes is optional, if no role is provided then :default is used. + # A role can be defined by using the :as option. # # Mass-assignment to these attributes will simply be ignored, to assign # to them you can use direct writer methods. This is meant to protect @@ -67,7 +67,7 @@ module ActiveModel # end # end # - # When using a :default scope : + # When using the :default role : # # customer = Customer.new # customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default) @@ -78,7 +78,7 @@ module ActiveModel # customer.credit_rating = "Average" # customer.credit_rating # => "Average" # - # And using the :admin scope : + # And using the :admin role : # # customer = Customer.new # customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin) @@ -93,10 +93,10 @@ module ActiveModel # to sanitize attributes won't provide sufficient protection. def attr_protected(*args) options = args.extract_options! - scope = options[:as] || :default + role = options[:as] || :default self._protected_attributes = protected_attributes_configs.dup - self._protected_attributes[scope] = self.protected_attributes(scope) + args + self._protected_attributes[role] = self.protected_attributes(role) + args self._active_authorizer = self._protected_attributes end @@ -104,8 +104,8 @@ module ActiveModel # Specifies a white list of model attributes that can be set via # mass-assignment. # - # Like +attr_protected+, a scope for the attributes is optional, - # if no scope is provided then :default is used. A scope can be defined by + # Like +attr_protected+, a role for the attributes is optional, + # if no role is provided then :default is used. A role can be defined by # using the :as option. # # This is the opposite of the +attr_protected+ macro: Mass-assignment @@ -131,7 +131,7 @@ module ActiveModel # end # end # - # When using a :default scope : + # When using the :default role : # # customer = Customer.new # customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default) @@ -141,7 +141,7 @@ module ActiveModel # customer.credit_rating = "Average" # customer.credit_rating # => "Average" # - # And using the :admin scope : + # And using the :admin role : # # customer = Customer.new # customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin) @@ -152,20 +152,20 @@ module ActiveModel # to sanitize attributes won't provide sufficient protection. def attr_accessible(*args) options = args.extract_options! - scope = options[:as] || :default + role = options[:as] || :default self._accessible_attributes = accessible_attributes_configs.dup - self._accessible_attributes[scope] = self.accessible_attributes(scope) + args + self._accessible_attributes[role] = self.accessible_attributes(role) + args self._active_authorizer = self._accessible_attributes end - def protected_attributes(scope = :default) - protected_attributes_configs[scope] + def protected_attributes(role = :default) + protected_attributes_configs[role] end - def accessible_attributes(scope = :default) - accessible_attributes_configs[scope] + def accessible_attributes(role = :default) + accessible_attributes_configs[role] end def active_authorizers @@ -198,12 +198,12 @@ module ActiveModel protected - def sanitize_for_mass_assignment(attributes, scope = :default) - mass_assignment_authorizer(scope).sanitize(attributes) + def sanitize_for_mass_assignment(attributes, role = :default) + mass_assignment_authorizer(role).sanitize(attributes) end - def mass_assignment_authorizer(scope = :default) - self.class.active_authorizer[scope] + def mass_assignment_authorizer(role = :default) + self.class.active_authorizer[role] end end end diff --git a/activemodel/test/cases/mass_assignment_security_test.rb b/activemodel/test/cases/mass_assignment_security_test.rb index b22ce874ea..43a12eed61 100644 --- a/activemodel/test/cases/mass_assignment_security_test.rb +++ b/activemodel/test/cases/mass_assignment_security_test.rb @@ -10,7 +10,7 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase assert_equal expected, sanitized end - def test_only_moderator_scope_attribute_accessible + def test_only_moderator_role_attribute_accessible user = SpecialUser.new expected = { "name" => "John Smith", "email" => "john@smith.com" } sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true), :moderator) @@ -27,7 +27,7 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase assert_equal expected, sanitized end - def test_admin_scoped_attributes_accessible + def test_attributes_accessible_with_admin_role user = Person.new expected = { "name" => "John Smith", "email" => "john@smith.com", "admin" => true } sanitized = user.sanitize_for_mass_assignment(expected.merge("super_powers" => true), :admin) |