aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--activemodel/lib/active_model/mass_assignment_security.rb10
-rw-r--r--activemodel/test/cases/mass_assignment_security_test.rb14
-rw-r--r--activemodel/test/models/mass_assignment_specific.rb10
3 files changed, 31 insertions, 3 deletions
diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb
index a7b4706906..ff8732a33e 100644
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -111,7 +111,10 @@ module ActiveModel
role = options[:as] || :default
self._protected_attributes = protected_attributes_configs.dup
- self._protected_attributes[role] = self.protected_attributes(role) + args
+
+ Array(role).each do |name|
+ self._protected_attributes[name] = self.protected_attributes(name) + args
+ end
self._active_authorizer = self._protected_attributes
end
@@ -170,7 +173,10 @@ module ActiveModel
role = options[:as] || :default
self._accessible_attributes = accessible_attributes_configs.dup
- self._accessible_attributes[role] = self.accessible_attributes(role) + args
+
+ Array(role).each do |name|
+ self._accessible_attributes[name] = self.accessible_attributes(name) + args
+ end
self._active_authorizer = self._accessible_attributes
end
diff --git a/activemodel/test/cases/mass_assignment_security_test.rb b/activemodel/test/cases/mass_assignment_security_test.rb
index a778240827..be07e59a2f 100644
--- a/activemodel/test/cases/mass_assignment_security_test.rb
+++ b/activemodel/test/cases/mass_assignment_security_test.rb
@@ -43,6 +43,20 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase
assert_equal expected, sanitized
end
+ def test_attributes_accessible_with_roles_given_as_array
+ user = Account.new
+ expected = { "name" => "John Smith", "email" => "john@smith.com" }
+ sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true))
+ assert_equal expected, sanitized
+ end
+
+ def test_attributes_accessible_with_admin_role_when_roles_given_as_array
+ user = Account.new
+ expected = { "name" => "John Smith", "email" => "john@smith.com", "admin" => true }
+ sanitized = user.sanitize_for_mass_assignment(expected.merge("super_powers" => true), :admin)
+ assert_equal expected, sanitized
+ end
+
def test_attributes_protected_by_default
firm = Firm.new
expected = { }
diff --git a/activemodel/test/models/mass_assignment_specific.rb b/activemodel/test/models/mass_assignment_specific.rb
index 53b37369ff..1d123fa58c 100644
--- a/activemodel/test/models/mass_assignment_specific.rb
+++ b/activemodel/test/models/mass_assignment_specific.rb
@@ -20,6 +20,14 @@ class Person
public :sanitize_for_mass_assignment
end
+class Account
+ include ActiveModel::MassAssignmentSecurity
+ attr_accessible :name, :email, :as => [:default, :admin]
+ attr_accessible :admin, :as => :admin
+
+ public :sanitize_for_mass_assignment
+end
+
class Firm
include ActiveModel::MassAssignmentSecurity
@@ -65,4 +73,4 @@ end
class TightDescendant < TightPerson
attr_accessible :phone_number
attr_accessible :super_powers, :as => :admin
-end \ No newline at end of file
+end