aboutsummaryrefslogtreecommitdiffstats
path: root/activemodel/lib
diff options
context:
space:
mode:
Diffstat (limited to 'activemodel/lib')
-rw-r--r--activemodel/lib/active_model/mass_assignment_security.rb37
-rw-r--r--activemodel/lib/active_model/mass_assignment_security/permission_set.rb8
-rw-r--r--activemodel/lib/active_model/mass_assignment_security/sanitizer.rb43
-rw-r--r--activemodel/lib/active_model/validations/exclusion.rb2
-rw-r--r--activemodel/lib/active_model/validations/inclusion.rb2
5 files changed, 71 insertions, 21 deletions
diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb
index 483b577681..a7b4706906 100644
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -1,5 +1,7 @@
-require 'active_support/core_ext/class/attribute.rb'
+require 'active_support/core_ext/class/attribute'
+require 'active_support/core_ext/string/inflections'
require 'active_model/mass_assignment_security/permission_set'
+require 'active_model/mass_assignment_security/sanitizer'
module ActiveModel
# = Active Model Mass-Assignment Security
@@ -10,6 +12,9 @@ module ActiveModel
class_attribute :_accessible_attributes
class_attribute :_protected_attributes
class_attribute :_active_authorizer
+
+ class_attribute :_mass_assignment_sanitizer
+ self.mass_assignment_sanitizer = :logger
end
# Mass assignment security provides an interface for protecting attributes
@@ -41,6 +46,16 @@ module ActiveModel
#
# end
#
+ # = Configuration options
+ #
+ # * <tt>mass_assignment_sanitizer</tt> - Defines sanitize method. Possible values are:
+ # * <tt>:logger</tt> (default) - writes filtered attributes to logger
+ # * <tt>:strict</tt> - raise <tt>ActiveModel::MassAssignmentSecurity::Error</tt> on any protected attribute update
+ #
+ # You can specify your own sanitizer object eg. MySanitizer.new.
+ # See <tt>ActiveModel::MassAssignmentSecurity::LoggerSanitizer</tt> for example implementation.
+ #
+ #
module ClassMethods
# Attributes named in this macro are protected from mass-assignment
# whenever attributes are sanitized before assignment. A role for the
@@ -154,7 +169,7 @@ module ActiveModel
options = args.extract_options!
role = options[:as] || :default
- self._accessible_attributes = accessible_attributes_configs.dup
+ self._accessible_attributes = accessible_attributes_configs.dup
self._accessible_attributes[role] = self.accessible_attributes(role) + args
self._active_authorizer = self._accessible_attributes
@@ -177,21 +192,25 @@ module ActiveModel
[]
end
+ def mass_assignment_sanitizer=(value)
+ self._mass_assignment_sanitizer = if value.is_a?(Symbol)
+ const_get(:"#{value.to_s.camelize}Sanitizer").new(self)
+ else
+ value
+ end
+ end
+
private
def protected_attributes_configs
self._protected_attributes ||= begin
- default_black_list = BlackList.new(attributes_protected_by_default).tap do |w|
- w.logger = self.logger if self.respond_to?(:logger)
- end
- Hash.new(default_black_list)
+ Hash.new { |h,k| h[k] = BlackList.new(attributes_protected_by_default) }
end
end
def accessible_attributes_configs
self._accessible_attributes ||= begin
- default_white_list = WhiteList.new.tap { |w| w.logger = self.logger if self.respond_to?(:logger) }
- Hash.new(default_white_list)
+ Hash.new { |h,k| h[k] = WhiteList.new }
end
end
end
@@ -199,7 +218,7 @@ module ActiveModel
protected
def sanitize_for_mass_assignment(attributes, role = :default)
- mass_assignment_authorizer(role).sanitize(attributes)
+ _mass_assignment_sanitizer.sanitize(attributes, mass_assignment_authorizer(role))
end
def mass_assignment_authorizer(role = :default)
diff --git a/activemodel/lib/active_model/mass_assignment_security/permission_set.rb b/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
index 9fcb94d48a..a1fcdf1a38 100644
--- a/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
@@ -1,10 +1,8 @@
require 'set'
-require 'active_model/mass_assignment_security/sanitizer'
module ActiveModel
module MassAssignmentSecurity
class PermissionSet < Set
- attr_accessor :logger
def +(values)
super(values.map(&:to_s))
@@ -14,6 +12,10 @@ module ActiveModel
super(remove_multiparameter_id(key))
end
+ def deny?(key)
+ raise NotImplementedError, "#deny?(key) suppose to be overwritten"
+ end
+
protected
def remove_multiparameter_id(key)
@@ -22,7 +24,6 @@ module ActiveModel
end
class WhiteList < PermissionSet
- include Sanitizer
def deny?(key)
!include?(key)
@@ -30,7 +31,6 @@ module ActiveModel
end
class BlackList < PermissionSet
- include Sanitizer
def deny?(key)
include?(key)
diff --git a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
index 150beb1ff2..ee43a6694f 100644
--- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
@@ -1,9 +1,14 @@
+require 'active_support/core_ext/module/delegation'
+
module ActiveModel
module MassAssignmentSecurity
- module Sanitizer
+ class Sanitizer
+ def initialize(target=nil)
+ end
+
# Returns all attributes not denied by the authorizer.
- def sanitize(attributes)
- sanitized_attributes = attributes.reject { |key, value| deny?(key) }
+ def sanitize(attributes, authorizer)
+ sanitized_attributes = attributes.reject { |key, value| authorizer.deny?(key) }
debug_protected_attribute_removal(attributes, sanitized_attributes)
sanitized_attributes
end
@@ -12,12 +17,38 @@ module ActiveModel
def debug_protected_attribute_removal(attributes, sanitized_attributes)
removed_keys = attributes.keys - sanitized_attributes.keys
- warn!(removed_keys) if removed_keys.any?
+ process_removed_attributes(removed_keys) if removed_keys.any?
+ end
+
+ def process_removed_attributes(attrs)
+ raise NotImplementedError, "#process_removed_attributes(attrs) suppose to be overwritten"
+ end
+ end
+
+ class LoggerSanitizer < Sanitizer
+ delegate :logger, :to => :@target
+
+ def initialize(target)
+ @target = target
+ super
end
- def warn!(attrs)
- self.logger.debug "WARNING: Can't mass-assign protected attributes: #{attrs.join(', ')}" if self.logger
+ def logger?
+ @target.respond_to?(:logger) && @target.logger
end
+
+ def process_removed_attributes(attrs)
+ logger.debug "WARNING: Can't mass-assign protected attributes: #{attrs.join(', ')}" if logger?
+ end
+ end
+
+ class StrictSanitizer < Sanitizer
+ def process_removed_attributes(attrs)
+ raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"
+ end
+ end
+
+ class Error < StandardError
end
end
end
diff --git a/activemodel/lib/active_model/validations/exclusion.rb b/activemodel/lib/active_model/validations/exclusion.rb
index ab4de3c459..d3b8d31502 100644
--- a/activemodel/lib/active_model/validations/exclusion.rb
+++ b/activemodel/lib/active_model/validations/exclusion.rb
@@ -1,4 +1,4 @@
-require 'active_support/core_ext/range.rb'
+require 'active_support/core_ext/range'
module ActiveModel
diff --git a/activemodel/lib/active_model/validations/inclusion.rb b/activemodel/lib/active_model/validations/inclusion.rb
index bfb65d2f3f..9a9270d615 100644
--- a/activemodel/lib/active_model/validations/inclusion.rb
+++ b/activemodel/lib/active_model/validations/inclusion.rb
@@ -1,4 +1,4 @@
-require 'active_support/core_ext/range.rb'
+require 'active_support/core_ext/range'
module ActiveModel
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-06 00:19:11 +0000