Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
0731945e
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
0731945e
编写于
5月 26, 2011
作者:
J
José Valim
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #1334 from bogdan/callback
MassAssignmentSecurity: add ability to specify your own sanitizer
上级
d341d166
c7567c9a
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
57 addition
and
39 deletion
+57
-39
activemodel/lib/active_model/mass_assignment_security.rb
activemodel/lib/active_model/mass_assignment_security.rb
+9
-5
activemodel/lib/active_model/mass_assignment_security/permission_set.rb
...b/active_model/mass_assignment_security/permission_set.rb
+4
-4
activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
...el/lib/active_model/mass_assignment_security/sanitizer.rb
+19
-5
activemodel/test/cases/mass_assignment_security/black_list_test.rb
...el/test/cases/mass_assignment_security/black_list_test.rb
+0
-8
activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
...del/test/cases/mass_assignment_security/sanitizer_test.rb
+5
-8
activemodel/test/cases/mass_assignment_security/white_list_test.rb
...el/test/cases/mass_assignment_security/white_list_test.rb
+0
-9
activemodel/test/cases/mass_assignment_security_test.rb
activemodel/test/cases/mass_assignment_security_test.rb
+20
-0
未找到文件。
activemodel/lib/active_model/mass_assignment_security.rb
浏览文件 @
0731945e
require
'active_support/core_ext/class/attribute.rb'
require
'active_model/mass_assignment_security/permission_set'
require
'active_model/mass_assignment_security/sanitizer'
module
ActiveModel
# = Active Model Mass-Assignment Security
...
...
@@ -10,6 +11,7 @@ module MassAssignmentSecurity
class_attribute
:_accessible_attributes
class_attribute
:_protected_attributes
class_attribute
:_active_authorizer
class_attribute
:mass_assignment_sanitizer
end
# Mass assignment security provides an interface for protecting attributes
...
...
@@ -181,16 +183,14 @@ def attributes_protected_by_default
def
protected_attributes_configs
self
.
_protected_attributes
||=
begin
default_black_list
=
BlackList
.
new
(
attributes_protected_by_default
).
tap
do
|
w
|
w
.
logger
=
self
.
logger
if
self
.
respond_to?
(
:logger
)
end
default_black_list
=
BlackList
.
new
(
attributes_protected_by_default
)
Hash
.
new
(
default_black_list
)
end
end
def
accessible_attributes_configs
self
.
_accessible_attributes
||=
begin
default_white_list
=
WhiteList
.
new
.
tap
{
|
w
|
w
.
logger
=
self
.
logger
if
self
.
respond_to?
(
:logger
)
}
default_white_list
=
WhiteList
.
new
Hash
.
new
(
default_white_list
)
end
end
...
...
@@ -199,7 +199,11 @@ def accessible_attributes_configs
protected
def
sanitize_for_mass_assignment
(
attributes
,
role
=
:default
)
mass_assignment_authorizer
(
role
).
sanitize
(
attributes
)
(
mass_assignment_sanitizer
||
default_mass_assignment_sanitizer
).
sanitize
(
attributes
,
mass_assignment_authorizer
(
role
))
end
def
default_mass_assignment_sanitizer
DefaultSanitizer
.
new
(
self
.
respond_to?
(
:logger
)
&&
self
.
logger
)
end
def
mass_assignment_authorizer
(
role
=
:default
)
...
...
activemodel/lib/active_model/mass_assignment_security/permission_set.rb
浏览文件 @
0731945e
require
'set'
require
'active_model/mass_assignment_security/sanitizer'
module
ActiveModel
module
MassAssignmentSecurity
class
PermissionSet
<
Set
attr_accessor
:logger
def
+
(
values
)
super
(
values
.
map
(
&
:to_s
))
...
...
@@ -14,6 +12,10 @@ def include?(key)
super
(
remove_multiparameter_id
(
key
))
end
def
deny?
(
key
)
raise
NotImplementedError
,
"#deny?(key) suppose to be overwritten"
end
protected
def
remove_multiparameter_id
(
key
)
...
...
@@ -22,7 +24,6 @@ def remove_multiparameter_id(key)
end
class
WhiteList
<
PermissionSet
include
Sanitizer
def
deny?
(
key
)
!
include
?(
key
)
...
...
@@ -30,7 +31,6 @@ def deny?(key)
end
class
BlackList
<
PermissionSet
include
Sanitizer
def
deny?
(
key
)
include
?(
key
)
...
...
activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
浏览文件 @
0731945e
module
ActiveModel
module
MassAssignmentSecurity
module
Sanitizer
class
Sanitizer
# Returns all attributes not denied by the authorizer.
def
sanitize
(
attributes
)
sanitized_attributes
=
attributes
.
reject
{
|
key
,
value
|
deny?
(
key
)
}
def
sanitize
(
attributes
,
authorizer
)
sanitized_attributes
=
attributes
.
reject
{
|
key
,
value
|
authorizer
.
deny?
(
key
)
}
debug_protected_attribute_removal
(
attributes
,
sanitized_attributes
)
sanitized_attributes
end
...
...
@@ -12,10 +12,24 @@ def sanitize(attributes)
def
debug_protected_attribute_removal
(
attributes
,
sanitized_attributes
)
removed_keys
=
attributes
.
keys
-
sanitized_attributes
.
keys
warn
!
(
removed_keys
)
if
removed_keys
.
any?
process_removed_attributes
(
removed_keys
)
if
removed_keys
.
any?
end
def
process_removed_attributes
(
attrs
)
raise
NotImplementedError
,
"#process_removed_attributes(attrs) suppose to be overwritten"
end
end
class
DefaultSanitizer
<
Sanitizer
def
warn!
(
attrs
)
attr_accessor
:logger
def
initialize
(
logger
=
nil
)
self
.
logger
=
logger
super
()
end
def
process_removed_attributes
(
attrs
)
self
.
logger
.
debug
"WARNING: Can't mass-assign protected attributes:
#{
attrs
.
join
(
', '
)
}
"
if
self
.
logger
end
end
...
...
activemodel/test/cases/mass_assignment_security/black_list_test.rb
浏览文件 @
0731945e
...
...
@@ -16,13 +16,5 @@ def setup
assert_equal
false
,
@black_list
.
deny?
(
'first_name'
)
end
test
"sanitize attributes"
do
original_attributes
=
{
'first_name'
=>
'allowed'
,
'admin'
=>
'denied'
,
'admin(1)'
=>
'denied'
}
attributes
=
@black_list
.
sanitize
(
original_attributes
)
assert
attributes
.
key?
(
'first_name'
),
"Allowed key shouldn't be rejected"
assert
!
attributes
.
key?
(
'admin'
),
"Denied key should be rejected"
assert
!
attributes
.
key?
(
'admin(1)'
),
"Multi-parameter key should be detected"
end
end
activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
浏览文件 @
0731945e
...
...
@@ -4,24 +4,21 @@
class
SanitizerTest
<
ActiveModel
::
TestCase
class
SanitizingAuthorizer
include
ActiveModel
::
MassAssignmentSecurity
::
Sanitizer
attr_accessor
:logger
class
Authorizer
<
ActiveModel
::
MassAssignmentSecurity
::
PermissionSet
def
deny?
(
key
)
key
.
in?
([
'admin'
])
end
end
def
setup
@sanitizer
=
SanitizingAuthorizer
.
new
@sanitizer
=
ActiveModel
::
MassAssignmentSecurity
::
DefaultSanitizer
.
new
@authorizer
=
Authorizer
.
new
end
test
"sanitize attributes"
do
original_attributes
=
{
'first_name'
=>
'allowed'
,
'admin'
=>
'denied'
}
attributes
=
@sanitizer
.
sanitize
(
original_attributes
)
attributes
=
@sanitizer
.
sanitize
(
original_attributes
,
@authorizer
)
assert
attributes
.
key?
(
'first_name'
),
"Allowed key shouldn't be rejected"
assert
!
attributes
.
key?
(
'admin'
),
"Denied key should be rejected"
...
...
@@ -31,7 +28,7 @@ def setup
original_attributes
=
{
'first_name'
=>
'allowed'
,
'admin'
=>
'denied'
}
log
=
StringIO
.
new
@sanitizer
.
logger
=
Logger
.
new
(
log
)
@sanitizer
.
sanitize
(
original_attributes
)
@sanitizer
.
sanitize
(
original_attributes
,
@authorizer
)
assert_match
(
/admin/
,
log
.
string
,
"Should log removed attributes:
#{
log
.
string
}
"
)
end
...
...
activemodel/test/cases/mass_assignment_security/white_list_test.rb
浏览文件 @
0731945e
...
...
@@ -16,13 +16,4 @@ def setup
assert_equal
true
,
@white_list
.
deny?
(
'admin'
)
end
test
"sanitize attributes"
do
original_attributes
=
{
'first_name'
=>
'allowed'
,
'admin'
=>
'denied'
,
'admin(1)'
=>
'denied'
}
attributes
=
@white_list
.
sanitize
(
original_attributes
)
assert
attributes
.
key?
(
'first_name'
),
"Allowed key shouldn't be rejected"
assert
!
attributes
.
key?
(
'admin'
),
"Denied key should be rejected"
assert
!
attributes
.
key?
(
'admin(1)'
),
"Multi-parameter key should be detected"
end
end
activemodel/test/cases/mass_assignment_security_test.rb
浏览文件 @
0731945e
require
"cases/helper"
require
'models/mass_assignment_specific'
class
CustomSanitizer
<
ActiveModel
::
MassAssignmentSecurity
::
Sanitizer
def
process_removed_attributes
(
attrs
)
raise
StandardError
end
end
class
MassAssignmentSecurityTest
<
ActiveModel
::
TestCase
def
test_attribute_protection
...
...
@@ -76,4 +85,15 @@ def test_mass_assignment_multiparameter_protector
assert_equal
sanitized
,
{
}
end
def
test_custom_sanitizer
user
=
User
.
new
User
.
mass_assignment_sanitizer
=
CustomSanitizer
.
new
assert_raise
StandardError
do
user
.
sanitize_for_mass_assignment
(
"admin"
=>
true
)
end
ensure
User
.
mass_assignment_sanitizer
=
nil
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录