diff options
| -rw-r--r-- | actionwebservice/lib/action_web_service/api/base.rb | 8 | ||||
| -rw-r--r-- | actionwebservice/test/api_test.rb | 4 |
2 files changed, 11 insertions, 1 deletions
diff --git a/actionwebservice/lib/action_web_service/api/base.rb b/actionwebservice/lib/action_web_service/api/base.rb index 952c6baa0d..c30c833f9d 100644 --- a/actionwebservice/lib/action_web_service/api/base.rb +++ b/actionwebservice/lib/action_web_service/api/base.rb @@ -13,6 +13,12 @@ module ActionWebService # :nodoc: # Whether to transform the public API method names into camel-cased names class_inheritable_option :inflect_names, true + # Whether to allow ActiveRecord::Base models in <tt>:expects</tt>. + # The default is +false+, you should be aware of the security implications + # of allowing this, and ensure that you don't allow remote callers to + # easily overwrite data they should not have access to. + class_inheritable_option :allow_active_record_expects, false + # If present, the name of a method to call when the remote caller # tried to call a nonexistent method. Semantically equivalent to # +method_missing+. @@ -64,7 +70,7 @@ module ActionWebService # :nodoc: expects.each do |param| klass = WS::BaseTypes.canonical_param_type_class(param) klass = klass[0] if klass.is_a?(Array) - if klass.ancestors.include?(ActiveRecord::Base) + if klass.ancestors.include?(ActiveRecord::Base) && !allow_active_record_expects raise(ActionWebServiceError, "ActiveRecord model classes not allowed in :expects") end end diff --git a/actionwebservice/test/api_test.rb b/actionwebservice/test/api_test.rb index a84726f0b5..a3679335fc 100644 --- a/actionwebservice/test/api_test.rb +++ b/actionwebservice/test/api_test.rb @@ -56,6 +56,10 @@ class TC_API < Test::Unit::TestCase api_method :test, :expects => [ActiveRecord::Base] end end + klass = Class.new(ActionWebService::API::Base) do + allow_active_record_expects true + api_method :test2, :expects => [ActiveRecord::Base] + end assert_raises(ActionWebService::ActionWebServiceError) do klass = Class.new(ActionWebService::API::Base) do api_method :test, :invalid => [:int] |