diff options
author | Eric Chapweske <ericis@gmail.com> | 2010-01-29 17:02:12 -0800 |
---|---|---|
committer | José Valim <jose.valim@gmail.com> | 2010-07-08 18:28:32 +0200 |
commit | 606088df3f10dd8daec8ccc97d8279c119a503b5 (patch) | |
tree | 14709f7367901dd107e73c6f3c30967e9159e70b /activerecord/lib/active_record/mass_assignment_security | |
parent | 723a0bbe3a8737a099cd995a397b919b1957413d (diff) | |
download | rails-606088df3f10dd8daec8ccc97d8279c119a503b5.tar.gz rails-606088df3f10dd8daec8ccc97d8279c119a503b5.tar.bz2 rails-606088df3f10dd8daec8ccc97d8279c119a503b5.zip |
Mass assignment security refactoring
Signed-off-by: José Valim <jose.valim@gmail.com>
Diffstat (limited to 'activerecord/lib/active_record/mass_assignment_security')
-rw-r--r-- | activerecord/lib/active_record/mass_assignment_security/permission_set.rb | 44 | ||||
-rw-r--r-- | activerecord/lib/active_record/mass_assignment_security/sanitizer.rb | 27 |
2 files changed, 71 insertions, 0 deletions
diff --git a/activerecord/lib/active_record/mass_assignment_security/permission_set.rb b/activerecord/lib/active_record/mass_assignment_security/permission_set.rb new file mode 100644 index 0000000000..1d34dce02e --- /dev/null +++ b/activerecord/lib/active_record/mass_assignment_security/permission_set.rb @@ -0,0 +1,44 @@ +require 'active_record/mass_assignment_security/sanitizer' + +module ActiveRecord + module MassAssignmentSecurity + class PermissionSet < Set + + attr_accessor :logger + + def merge(values) + super(values.map(&:to_s)) + end + + def include?(key) + super(remove_multiparameter_id(key)) + end + + protected + + def remove_multiparameter_id(key) + key.gsub(/\(.+/, '') + end + + end + + class WhiteList < PermissionSet + include Sanitizer + + def deny?(key) + !include?(key) + end + + end + + class BlackList < PermissionSet + include Sanitizer + + def deny?(key) + include?(key) + end + + end + + end +end
\ No newline at end of file diff --git a/activerecord/lib/active_record/mass_assignment_security/sanitizer.rb b/activerecord/lib/active_record/mass_assignment_security/sanitizer.rb new file mode 100644 index 0000000000..4a099a147c --- /dev/null +++ b/activerecord/lib/active_record/mass_assignment_security/sanitizer.rb @@ -0,0 +1,27 @@ +module ActiveRecord + module MassAssignmentSecurity + module Sanitizer + + # Returns all attributes not denied by the authorizer. + def sanitize(attributes) + sanitized_attributes = attributes.reject { |key, value| deny?(key) } + debug_protected_attribute_removal(attributes, sanitized_attributes) if debug? + sanitized_attributes + end + + protected + + def debug_protected_attribute_removal(attributes, sanitized_attributes) + removed_keys = attributes.keys - sanitized_attributes.keys + if removed_keys.any? + logger.debug "WARNING: Can't mass-assign protected attributes: #{removed_keys.join(', ')}" + end + end + + def debug? + logger.present? + end + + end + end +end |