1 files changed, 20 insertions, 20 deletions

diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb
index 13495d6786..8f2c0bf00a 100644
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -9,13 +9,11 @@ module ActiveModel
     extend ActiveSupport::Concern
 
     included do
-      extend ActiveModel::Configuration
+      class_attribute :_accessible_attributes, instance_writer: false
+      class_attribute :_protected_attributes,  instance_writer: false
+      class_attribute :_active_authorizer,     instance_writer: false
 
-      config_attribute :_accessible_attributes
-      config_attribute :_protected_attributes
-      config_attribute :_active_authorizer
-
-      config_attribute :_mass_assignment_sanitizer
+      class_attribute :_mass_assignment_sanitizer, instance_writer: false
       self.mass_assignment_sanitizer = :logger
     end
 
@@ -62,7 +60,7 @@ module ActiveModel
       # Attributes named in this macro are protected from mass-assignment
       # whenever attributes are sanitized before assignment. A role for the
       # attributes is optional, if no role is provided then :default is used.
-      # A role can be defined by using the :as option.
+      # A role can be defined by using the :as option with a symbol or an array of symbols as the value.
       #
       # Mass-assignment to these attributes will simply be ignored, to assign
       # to them you can use direct writer methods. This is meant to protect
@@ -85,7 +83,7 @@ module ActiveModel
       #     end
       #   end
       #
-      # When using the :default role :
+      # When using the :default role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "email" => "a@b.com", :logins_count => 5 }, :as => :default)
@@ -93,7 +91,7 @@ module ActiveModel
       #   customer.email # => "a@b.com"
       #   customer.logins_count    # => nil
       #
-      # And using the :admin role :
+      # And using the :admin role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "email" => "a@b.com", :logins_count => 5}, :as => :admin)
@@ -107,8 +105,9 @@ module ActiveModel
       # To start from an all-closed default and enable attributes as needed,
       # have a look at +attr_accessible+.
       #
-      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of +attr_protected+
-      # to sanitize attributes won't provide sufficient protection.
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_protected+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
       def attr_protected(*args)
         options = args.extract_options!
         role = options[:as] || :default
@@ -127,7 +126,7 @@ module ActiveModel
       #
       # Like +attr_protected+, a role for the attributes is optional,
       # if no role is provided then :default is used. A role can be defined by
-      # using the :as option.
+      # using the :as option with a symbol or an array of symbols as the value.
       #
       # This is the opposite of the +attr_protected+ macro: Mass-assignment
       # will only set attributes in this list, to assign to the rest of
@@ -152,7 +151,7 @@ module ActiveModel
       #     end
       #   end
       #
-      # When using the :default role :
+      # When using the :default role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default)
@@ -162,15 +161,16 @@ module ActiveModel
       #   customer.credit_rating = "Average"
       #   customer.credit_rating # => "Average"
       #
-      # And using the :admin role :
+      # And using the :admin role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin)
       #   customer.name          # => "David"
       #   customer.credit_rating # => "Excellent"
       #
-      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of +attr_accessible+
-      # to sanitize attributes won't provide sufficient protection.
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_accessible+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
       def attr_accessible(*args)
         options = args.extract_options!
         role = options[:as] || :default
@@ -226,12 +226,12 @@ module ActiveModel
 
   protected
 
-    def sanitize_for_mass_assignment(attributes, role = :default)
-      _mass_assignment_sanitizer.sanitize(attributes, mass_assignment_authorizer(role))
+    def sanitize_for_mass_assignment(attributes, role = nil)
+      _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
     end
 
-    def mass_assignment_authorizer(role = :default)
-      self.class.active_authorizer[role]
+    def mass_assignment_authorizer(role)
+      self.class.active_authorizer[role || :default]
     end
   end
 end