diff options
| author | David Heinemeier Hansson <david@loudthinking.com> | 2012-09-18 12:33:13 -0700 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2012-09-18 12:33:13 -0700 |
| commit | c49d959e9d40101f1712a452004695f4ce27d84c (patch) | |
| tree | f87077668c14ed414e3d819212b0813e74551c8f /railties/lib/rails | |
| parent | ade701045f0f80399d99151e5583d4f86c68678e (diff) | |
| parent | 3919fcd61ef999aab9397332ce3017870b184766 (diff) | |
| download | rails-c49d959e9d40101f1712a452004695f4ce27d84c.tar.gz rails-c49d959e9d40101f1712a452004695f4ce27d84c.tar.bz2 rails-c49d959e9d40101f1712a452004695f4ce27d84c.zip | |
Merge pull request #7251 from rails/integrate-strong_parameters
Integrate strong_parameters in Rails 4
Diffstat (limited to 'railties/lib/rails')
5 files changed, 16 insertions, 15 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb index 09b08d5663..f7d8f718de 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/application.rb +++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb @@ -46,11 +46,6 @@ module <%= app_const_base %> # like if you have constraints or database-specific column types. # config.active_record.schema_format = :sql - # Enforce whitelist mode for mass assignment. - # This will create an empty whitelist of attributes available for mass-assignment for all models - # in your app. As such, your models will need to explicitly whitelist or blacklist accessible - # parameters by using an attr_accessible or attr_protected declaration. - <%= comment_if :skip_active_record %>config.active_record.whitelist_attributes = true <% unless options.skip_sprockets? -%> # Enable the asset pipeline. diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt index bcd0e7c898..6b5b3a0b1f 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt @@ -23,9 +23,6 @@ config.action_dispatch.best_standards_support = :builtin <%- unless options.skip_active_record? -%> - # Raise exception on mass assignment protection for Active Record models. - config.active_record.mass_assignment_sanitizer = :strict - # Log the query plan for queries taking more than this (works # with SQLite, MySQL, and PostgreSQL). config.active_record.auto_explain_threshold_in_seconds = 0.5 diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt index 75897ba8cd..202fc98adf 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt @@ -31,11 +31,6 @@ # ActionMailer::Base.deliveries array. config.action_mailer.delivery_method = :test - <%- unless options.skip_active_record? -%> - # Raise exception on mass assignment protection for Active Record models. - config.active_record.mass_assignment_sanitizer = :strict - <%- end -%> - # Print deprecation notices to the stderr. config.active_support.deprecation = :stderr diff --git a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb index 0618b16984..f30ad6e20d 100644 --- a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb +++ b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb @@ -10,6 +10,8 @@ module Rails class_option :orm, :banner => "NAME", :type => :string, :required => true, :desc => "ORM to generate the controller for" + argument :attributes, :type => :array, :default => [], :banner => "field:type field:type" + def create_controller_files template "controller.rb", File.join('app/controllers', class_path, "#{controller_file_name}_controller.rb") end diff --git a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb index b3e74f9b02..5d038d20e7 100644 --- a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb +++ b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb @@ -45,7 +45,7 @@ class <%= controller_class_name %>Controller < ApplicationController # POST <%= route_url %> # POST <%= route_url %>.json def create - @<%= singular_table_name %> = <%= orm_class.build(class_name, "params[:#{singular_table_name}]") %> + @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %> respond_to do |format| if @<%= orm_instance.save %> @@ -64,7 +64,7 @@ class <%= controller_class_name %>Controller < ApplicationController @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %> respond_to do |format| - if @<%= orm_instance.update_attributes("params[:#{singular_table_name}]") %> + if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %> format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> } format.json { head :no_content } else @@ -85,5 +85,17 @@ class <%= controller_class_name %>Controller < ApplicationController format.json { head :no_content } end end + + private + + # Use this method to whitelist the permissible parameters. Example: params.require(:person).permit(:name, :age) + # Also, you can specialize this method with per-user checking of permissible attributes. + def <%= "#{singular_table_name}_params" %> + <%- if attributes.empty? -%> + params[<%= ":#{singular_table_name}" %>] + <%- else -%> + params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>) + <%- end -%> + end end <% end -%> |