From d204918f9190afcf5f3f53adb957ca15aa644704 Mon Sep 17 00:00:00 2001 From: Fabio Yamate Date: Tue, 14 Feb 2012 16:27:19 -0200 Subject: Fix sanitize_for_mass_assigment when role is nil There is an example in Rails documentation that suggests implementing assign_attributes method for ActiveModel interface, that by default sends option role with nil. Since mass_assignment_authorizer never is called without args, we can move the default value internally. --- activemodel/lib/active_model/mass_assignment_security.rb | 6 +++--- activemodel/test/cases/mass_assignment_security_test.rb | 7 +++++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb index 13495d6786..95de039676 100644 --- a/activemodel/lib/active_model/mass_assignment_security.rb +++ b/activemodel/lib/active_model/mass_assignment_security.rb @@ -226,12 +226,12 @@ module ActiveModel protected - def sanitize_for_mass_assignment(attributes, role = :default) + def sanitize_for_mass_assignment(attributes, role = nil) _mass_assignment_sanitizer.sanitize(attributes, mass_assignment_authorizer(role)) end - def mass_assignment_authorizer(role = :default) - self.class.active_authorizer[role] + def mass_assignment_authorizer(role) + self.class.active_authorizer[role || :default] end end end diff --git a/activemodel/test/cases/mass_assignment_security_test.rb b/activemodel/test/cases/mass_assignment_security_test.rb index be07e59a2f..a197dbe748 100644 --- a/activemodel/test/cases/mass_assignment_security_test.rb +++ b/activemodel/test/cases/mass_assignment_security_test.rb @@ -19,6 +19,13 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase assert_equal expected, sanitized end + def test_attribute_protection_when_role_is_nil + user = User.new + expected = { "name" => "John Smith", "email" => "john@smith.com" } + sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true), nil) + assert_equal expected, sanitized + end + def test_only_moderator_role_attribute_accessible user = SpecialUser.new expected = { "name" => "John Smith", "email" => "john@smith.com" } -- cgit v1.2.3