From b93a918337e99c3fe3ad059f093b1ee56b9e6a7d Mon Sep 17 00:00:00 2001
From: Bogdan Gusiev <agresso@gmail.com>
Date: Thu, 28 Jul 2011 11:56:08 +0300
Subject: MassAssignmentProtection: consider 'id' insensetive in
 StrictSanitizer

In order to use StrictSanitizer in test mode
Consider :id as not sensetive attribute that can be filtered from
mass assignement without exception.
---
 .../lib/active_model/mass_assignment_security/sanitizer.rb     |  5 +++++
 .../test/cases/mass_assignment_security/sanitizer_test.rb      | 10 +++++++++-
 .../rails/app/templates/config/environments/test.rb.tt         |  5 +++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
index bb0526adc3..bbdddfb50d 100644
--- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
@@ -44,8 +44,13 @@ module ActiveModel
 
     class StrictSanitizer < Sanitizer
       def process_removed_attributes(attrs)
+        return if (attrs - insensitive_attributes).empty?
         raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"
       end
+
+      def insensitive_attributes
+        ['id']
+      end
     end
 
     class Error < StandardError
diff --git a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
index 62a6ec9c9b..676937b5e1 100644
--- a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
+++ b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
@@ -7,7 +7,7 @@ class SanitizerTest < ActiveModel::TestCase
 
   class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet
     def deny?(key)
-      key.in?(['admin'])
+      ['admin', 'id'].include?(key)
     end
   end
 
@@ -40,4 +40,12 @@ class SanitizerTest < ActiveModel::TestCase
     end
   end
 
+  test "mass assignment insensitive attributes" do
+    original_attributes = {'id' => 1, 'first_name' => 'allowed'}
+
+    assert_nothing_raised do
+      @strict_sanitizer.sanitize(original_attributes, @authorizer)
+    end
+  end
+
 end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
index ee068b0202..80198cc21e 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
@@ -34,6 +34,11 @@
   # like if you have constraints or database-specific column types
   # config.active_record.schema_format = :sql
 
+  <%- unless options.skip_active_record? -%>
+  # Raise exception on mass assignment protection for ActiveRecord models
+  config.active_record.mass_assignment_sanitizer = :strict
+  <%- end -%>
+
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr
 end
-- 
cgit v1.2.3