5 files changed, 34 insertions, 39 deletions

diff --git a/activemodel/lib/active_model/conversion.rb b/activemodel/lib/active_model/conversion.rb
index c7c805f1a2..d7f30f0920 100644
--- a/activemodel/lib/active_model/conversion.rb
+++ b/activemodel/lib/active_model/conversion.rb
@@ -21,7 +21,7 @@ module ActiveModel
   #   cm.to_model == self # => true
   #   cm.to_key           # => nil
   #   cm.to_param         # => nil
-  #   cm.to_path          # => "contact_messages/contact_message"
+  #   cm.to_partial_path  # => "contact_messages/contact_message"
   #
   module Conversion
     extend ActiveSupport::Concern
@@ -57,7 +57,7 @@ module ActiveModel
     end
 
     module ClassMethods #:nodoc:
-      # Provide a class level cache for the to_path. This is an
+      # Provide a class level cache for #to_partial_path. This is an
       # internal method and should not be accessed directly.
       def _to_partial_path #:nodoc:
         @_to_partial_path ||= begin
diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb
index 95de039676..5e5405fe27 100644
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -85,7 +85,7 @@ module ActiveModel
       #     end
       #   end
       #
-      # When using the :default role :
+      # When using the :default role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "email" => "a@b.com", :logins_count => 5 }, :as => :default)
@@ -93,7 +93,7 @@ module ActiveModel
       #   customer.email # => "a@b.com"
       #   customer.logins_count    # => nil
       #
-      # And using the :admin role :
+      # And using the :admin role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "email" => "a@b.com", :logins_count => 5}, :as => :admin)
@@ -107,8 +107,9 @@ module ActiveModel
       # To start from an all-closed default and enable attributes as needed,
       # have a look at +attr_accessible+.
       #
-      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of +attr_protected+
-      # to sanitize attributes won't provide sufficient protection.
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_protected+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
       def attr_protected(*args)
         options = args.extract_options!
         role = options[:as] || :default
@@ -152,7 +153,7 @@ module ActiveModel
       #     end
       #   end
       #
-      # When using the :default role :
+      # When using the :default role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :default)
@@ -162,15 +163,16 @@ module ActiveModel
       #   customer.credit_rating = "Average"
       #   customer.credit_rating # => "Average"
       #
-      # And using the :admin role :
+      # And using the :admin role:
       #
       #   customer = Customer.new
       #   customer.assign_attributes({ "name" => "David", "credit_rating" => "Excellent", :last_login => 1.day.ago }, :as => :admin)
       #   customer.name          # => "David"
       #   customer.credit_rating # => "Excellent"
       #
-      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of +attr_accessible+
-      # to sanitize attributes won't provide sufficient protection.
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_accessible+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
       def attr_accessible(*args)
         options = args.extract_options!
         role = options[:as] || :default
diff --git a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
index cfeb4aa7cd..93c4432b7d 100644
--- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
@@ -3,20 +3,18 @@ module ActiveModel
     class Sanitizer
       # Returns all attributes not denied by the authorizer.
       def sanitize(attributes, authorizer)
-        sanitized_attributes = attributes.reject { |key, value| authorizer.deny?(key) }
-        debug_protected_attribute_removal(attributes, sanitized_attributes)
-        sanitized_attributes
+        attributes.reject do |attr, value|
+          if authorizer.deny?(attr)
+            process_removed_attribute(attr)
+            true
+          end
+        end
       end
 
     protected
 
-      def debug_protected_attribute_removal(attributes, sanitized_attributes)
-        removed_keys = attributes.keys - sanitized_attributes.keys
-        process_removed_attributes(removed_keys) if removed_keys.any?
-      end
-
-      def process_removed_attributes(attrs)
-        raise NotImplementedError, "#process_removed_attributes(attrs) suppose to be overwritten"
+      def process_removed_attribute(attr)
+        raise NotImplementedError, "#process_removed_attribute(attr) suppose to be overwritten"
       end
     end
 
@@ -34,8 +32,8 @@ module ActiveModel
         @target.respond_to?(:logger) && @target.logger
       end
 
-      def process_removed_attributes(attrs)
-        logger.warn "Can't mass-assign protected attributes: #{attrs.join(', ')}" if logger?
+      def process_removed_attribute(attr)
+        logger.warn "Can't mass-assign protected attribute: #{attr}" if logger?
       end
     end
 
@@ -44,19 +42,19 @@ module ActiveModel
         super()
       end
 
-      def process_removed_attributes(attrs)
-        return if (attrs - insensitive_attributes).empty?
-        raise ActiveModel::MassAssignmentSecurity::Error.new(attrs)
+      def process_removed_attribute(attr)
+        return if insensitive_attributes.include?(attr)
+        raise ActiveModel::MassAssignmentSecurity::Error.new(attr)
       end
 
       def insensitive_attributes
-        ['id']
+        @insensitive_attributes ||= ['id']
       end
     end
 
     class Error < StandardError
-      def initialize(attrs)
-        super("Can't mass-assign protected attributes: #{attrs.join(', ')}")
+      def initialize(attr)
+        super("Can't mass-assign protected attribute: #{attr}")
       end
     end
   end
diff --git a/activemodel/lib/active_model/naming.rb b/activemodel/lib/active_model/naming.rb
index 755e54efcd..fd0bc4e8e9 100644
--- a/activemodel/lib/active_model/naming.rb
+++ b/activemodel/lib/active_model/naming.rb
@@ -2,6 +2,7 @@ require 'active_support/inflector'
 require 'active_support/core_ext/hash/except'
 require 'active_support/core_ext/module/introspection'
 require 'active_support/core_ext/module/deprecation'
+require 'active_support/core_ext/object/blank'
 
 module ActiveModel
   class Name < String
diff --git a/activemodel/lib/active_model/serialization.rb b/activemodel/lib/active_model/serialization.rb
index 51f078e662..4323ee1e09 100644
--- a/activemodel/lib/active_model/serialization.rb
+++ b/activemodel/lib/active_model/serialization.rb
@@ -1,7 +1,5 @@
 require 'active_support/core_ext/hash/except'
 require 'active_support/core_ext/hash/slice'
-require 'active_support/core_ext/array/wrap'
-
 
 module ActiveModel
   # == Active Model Serialization
@@ -11,7 +9,6 @@ module ActiveModel
   # A minimal implementation could be:
   #
   #   class Person
-  #
   #     include ActiveModel::Serialization
   #
   #     attr_accessor :name
@@ -19,7 +16,6 @@ module ActiveModel
   #     def attributes
   #       {'name' => nil}
   #     end
-  #
   #   end
   #
   # Which would provide you with:
@@ -43,7 +39,6 @@ module ActiveModel
   # So a minimal implementation including XML and JSON would be:
   #
   #   class Person
-  #
   #     include ActiveModel::Serializers::JSON
   #     include ActiveModel::Serializers::Xml
   #
@@ -52,7 +47,6 @@ module ActiveModel
   #     def attributes
   #       {'name' => nil}
   #     end
-  #
   #   end
   #
   # Which would provide you with:
@@ -88,7 +82,7 @@ module ActiveModel
       method_names.each { |n| hash[n.to_s] = send(n) }
 
       serializable_add_includes(options) do |association, records, opts|
-        hash[association] = if records.is_a?(Enumerable)
+        hash[association.to_s] = if records.is_a?(Enumerable)
           records.map { |a| a.serializable_hash(opts) }
         else
           records.serializable_hash(opts)
@@ -126,13 +120,13 @@ module ActiveModel
       #   +records+     - the association record(s) to be serialized
       #   +opts+        - options for the association records
       def serializable_add_includes(options = {}) #:nodoc:
-        return unless include = options[:include]
+        return unless includes = options[:include]
 
-        unless include.is_a?(Hash)
-          include = Hash[Array.wrap(include).map { |n| n.is_a?(Hash) ? n.to_a.first : [n, {}] }]
+        unless includes.is_a?(Hash)
+          includes = Hash[Array(includes).map { |n| n.is_a?(Hash) ? n.to_a.first : [n, {}] }]
         end
 
-        include.each do |association, opts|
+        includes.each do |association, opts|
           if records = send(association)
             yield association, records, opts
           end