diff options
Diffstat (limited to 'activemodel')
| -rw-r--r-- | activemodel/lib/active_model/mass_assignment_security/sanitizer.rb | 34 | ||||
| -rw-r--r-- | activemodel/test/cases/mass_assignment_security_test.rb | 2 |
2 files changed, 19 insertions, 17 deletions
diff --git a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb index 93c4432b7d..cfeb4aa7cd 100644 --- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb +++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb @@ -3,18 +3,20 @@ module ActiveModel class Sanitizer # Returns all attributes not denied by the authorizer. def sanitize(attributes, authorizer) - attributes.reject do |attr, value| - if authorizer.deny?(attr) - process_removed_attribute(attr) - true - end - end + sanitized_attributes = attributes.reject { |key, value| authorizer.deny?(key) } + debug_protected_attribute_removal(attributes, sanitized_attributes) + sanitized_attributes end protected - def process_removed_attribute(attr) - raise NotImplementedError, "#process_removed_attribute(attr) suppose to be overwritten" + def debug_protected_attribute_removal(attributes, sanitized_attributes) + removed_keys = attributes.keys - sanitized_attributes.keys + process_removed_attributes(removed_keys) if removed_keys.any? + end + + def process_removed_attributes(attrs) + raise NotImplementedError, "#process_removed_attributes(attrs) suppose to be overwritten" end end @@ -32,8 +34,8 @@ module ActiveModel @target.respond_to?(:logger) && @target.logger end - def process_removed_attribute(attr) - logger.warn "Can't mass-assign protected attribute: #{attr}" if logger? + def process_removed_attributes(attrs) + logger.warn "Can't mass-assign protected attributes: #{attrs.join(', ')}" if logger? end end @@ -42,19 +44,19 @@ module ActiveModel super() end - def process_removed_attribute(attr) - return if insensitive_attributes.include?(attr) - raise ActiveModel::MassAssignmentSecurity::Error.new(attr) + def process_removed_attributes(attrs) + return if (attrs - insensitive_attributes).empty? + raise ActiveModel::MassAssignmentSecurity::Error.new(attrs) end def insensitive_attributes - @insensitive_attributes ||= ['id'] + ['id'] end end class Error < StandardError - def initialize(attr) - super("Can't mass-assign protected attribute: #{attr}") + def initialize(attrs) + super("Can't mass-assign protected attributes: #{attrs.join(', ')}") end end end diff --git a/activemodel/test/cases/mass_assignment_security_test.rb b/activemodel/test/cases/mass_assignment_security_test.rb index 4dc5280888..a197dbe748 100644 --- a/activemodel/test/cases/mass_assignment_security_test.rb +++ b/activemodel/test/cases/mass_assignment_security_test.rb @@ -4,7 +4,7 @@ require 'models/mass_assignment_specific' class CustomSanitizer < ActiveModel::MassAssignmentSecurity::Sanitizer - def process_removed_attribute(attr) + def process_removed_attributes(attrs) raise StandardError end |