From aa2639e746d8af5d7673bbbbbccbe868edeb0161 Mon Sep 17 00:00:00 2001
From: Bogdan Gusiev <agresso@gmail.com>
Date: Mon, 30 May 2011 11:34:00 +0300
Subject: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method

In order to specify your own sanitize method
Implemented .mass_assignment_sanitizer configuration option
---
 .../lib/active_model/mass_assignment_security.rb   | 30 +++++++++++++++++-----
 .../mass_assignment_security/sanitizer.rb          | 12 ++++++++-
 2 files changed, 35 insertions(+), 7 deletions(-)

(limited to 'activemodel/lib')

diff --git a/activemodel/lib/active_model/mass_assignment_security.rb b/activemodel/lib/active_model/mass_assignment_security.rb
index cc30609f2b..e3c9097646 100644
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -11,7 +11,13 @@ module ActiveModel
       class_attribute :_accessible_attributes
       class_attribute :_protected_attributes
       class_attribute :_active_authorizer
-      class_attribute :mass_assignment_sanitizer
+
+      class_attribute :mass_assignment_sanitizer, :mass_assignment_sanitizers
+      self.mass_assignment_sanitizer = :logger
+      self.mass_assignment_sanitizers = {
+        :logger => LoggerSanitizer.new(self.respond_to?(:logger) && self.logger),
+        :strict => StrictSanitizer.new
+      }
     end
 
     # Mass assignment security provides an interface for protecting attributes
@@ -43,6 +49,16 @@ module ActiveModel
     #
     #   end
     #
+    # = Configuration options
+    #
+    # * <tt>mass_assignment_sanitizer</tt> - Defines sanitize method. Possible values are:
+    #   * <tt>:logger</tt> (default) - writes filtered attributes to logger
+    #   * <tt>:strict</tt> - raise <tt>ActiveModel::MassAssignmentSecurity::Error</tt> on any protected attribute update
+    #
+    # You can specify your own sanitizer object eg. MySanitizer.new.
+    # See <tt>ActiveModel::MassAssignmentSecurity::LoggerSanitizer</tt> for example implementation.
+    #
+    # 
     module ClassMethods
       # Attributes named in this macro are protected from mass-assignment
       # whenever attributes are sanitized before assignment. A role for the
@@ -199,11 +215,13 @@ module ActiveModel
   protected
 
     def sanitize_for_mass_assignment(attributes, role = :default)
-      (mass_assignment_sanitizer || default_mass_assignment_sanitizer).sanitize(attributes, mass_assignment_authorizer(role))
-    end
-
-    def default_mass_assignment_sanitizer
-      DefaultSanitizer.new(self.respond_to?(:logger) && self.logger)
+      sanitizer = case mass_assignment_sanitizer
+                  when Symbol
+                    self.mass_assignment_sanitizers[mass_assignment_sanitizer]
+                  else
+                    mass_assignment_sanitizer
+                  end
+      sanitizer.sanitize(attributes, mass_assignment_authorizer(role))
     end
 
     def mass_assignment_authorizer(role = :default)
diff --git a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
index 5dbcf473bd..4dfff050a8 100644
--- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
@@ -20,7 +20,7 @@ module ActiveModel
       end
 
     end
-    class DefaultSanitizer < Sanitizer
+    class LoggerSanitizer < Sanitizer
 
       attr_accessor :logger
 
@@ -33,5 +33,15 @@ module ActiveModel
         self.logger.debug "WARNING: Can't mass-assign protected attributes: #{attrs.join(', ')}" if self.logger
       end
     end
+
+    class StrictSanitizer < Sanitizer
+      def process_removed_attributes(attrs)
+        raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"
+      end
+    end
+
+    class Error < StandardError
+    end
+
   end
 end
-- 
cgit v1.2.3