Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
16384351
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
16384351
编写于
5月 31, 2011
作者:
J
José Valim
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #1403 from bogdan/config
ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method
上级
752dec94
aa2639e7
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
48 addition
and
12 deletion
+48
-12
activemodel/lib/active_model/mass_assignment_security.rb
activemodel/lib/active_model/mass_assignment_security.rb
+24
-6
activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
...el/lib/active_model/mass_assignment_security/sanitizer.rb
+11
-1
activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
...del/test/cases/mass_assignment_security/sanitizer_test.rb
+13
-5
未找到文件。
activemodel/lib/active_model/mass_assignment_security.rb
浏览文件 @
16384351
...
...
@@ -11,7 +11,13 @@ module MassAssignmentSecurity
class_attribute
:_accessible_attributes
class_attribute
:_protected_attributes
class_attribute
:_active_authorizer
class_attribute
:mass_assignment_sanitizer
class_attribute
:mass_assignment_sanitizer
,
:mass_assignment_sanitizers
self
.
mass_assignment_sanitizer
=
:logger
self
.
mass_assignment_sanitizers
=
{
:logger
=>
LoggerSanitizer
.
new
(
self
.
respond_to?
(
:logger
)
&&
self
.
logger
),
:strict
=>
StrictSanitizer
.
new
}
end
# Mass assignment security provides an interface for protecting attributes
...
...
@@ -43,6 +49,16 @@ module MassAssignmentSecurity
#
# end
#
# = Configuration options
#
# * <tt>mass_assignment_sanitizer</tt> - Defines sanitize method. Possible values are:
# * <tt>:logger</tt> (default) - writes filtered attributes to logger
# * <tt>:strict</tt> - raise <tt>ActiveModel::MassAssignmentSecurity::Error</tt> on any protected attribute update
#
# You can specify your own sanitizer object eg. MySanitizer.new.
# See <tt>ActiveModel::MassAssignmentSecurity::LoggerSanitizer</tt> for example implementation.
#
#
module
ClassMethods
# Attributes named in this macro are protected from mass-assignment
# whenever attributes are sanitized before assignment. A role for the
...
...
@@ -199,11 +215,13 @@ def accessible_attributes_configs
protected
def
sanitize_for_mass_assignment
(
attributes
,
role
=
:default
)
(
mass_assignment_sanitizer
||
default_mass_assignment_sanitizer
).
sanitize
(
attributes
,
mass_assignment_authorizer
(
role
))
end
def
default_mass_assignment_sanitizer
DefaultSanitizer
.
new
(
self
.
respond_to?
(
:logger
)
&&
self
.
logger
)
sanitizer
=
case
mass_assignment_sanitizer
when
Symbol
self
.
mass_assignment_sanitizers
[
mass_assignment_sanitizer
]
else
mass_assignment_sanitizer
end
sanitizer
.
sanitize
(
attributes
,
mass_assignment_authorizer
(
role
))
end
def
mass_assignment_authorizer
(
role
=
:default
)
...
...
activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
浏览文件 @
16384351
...
...
@@ -20,7 +20,7 @@ def process_removed_attributes(attrs)
end
end
class
Default
Sanitizer
<
Sanitizer
class
Logger
Sanitizer
<
Sanitizer
attr_accessor
:logger
...
...
@@ -33,5 +33,15 @@ def process_removed_attributes(attrs)
self
.
logger
.
debug
"WARNING: Can't mass-assign protected attributes:
#{
attrs
.
join
(
', '
)
}
"
if
self
.
logger
end
end
class
StrictSanitizer
<
Sanitizer
def
process_removed_attributes
(
attrs
)
raise
ActiveModel
::
MassAssignmentSecurity
::
Error
,
"Can't mass-assign protected attributes:
#{
attrs
.
join
(
', '
)
}
"
end
end
class
Error
<
StandardError
end
end
end
activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
浏览文件 @
16384351
...
...
@@ -12,24 +12,32 @@ def deny?(key)
end
def
setup
@sanitizer
=
ActiveModel
::
MassAssignmentSecurity
::
DefaultSanitizer
.
new
@logger_sanitizer
=
ActiveModel
::
MassAssignmentSecurity
::
LoggerSanitizer
.
new
@strict_sanitizer
=
ActiveModel
::
MassAssignmentSecurity
::
StrictSanitizer
.
new
@authorizer
=
Authorizer
.
new
end
test
"sanitize attributes"
do
original_attributes
=
{
'first_name'
=>
'allowed'
,
'admin'
=>
'denied'
}
attributes
=
@sanitizer
.
sanitize
(
original_attributes
,
@authorizer
)
attributes
=
@
logger_
sanitizer
.
sanitize
(
original_attributes
,
@authorizer
)
assert
attributes
.
key?
(
'first_name'
),
"Allowed key shouldn't be rejected"
assert
!
attributes
.
key?
(
'admin'
),
"Denied key should be rejected"
end
test
"debug mass assignment removal"
do
test
"debug mass assignment removal
with LoggerSanitizer
"
do
original_attributes
=
{
'first_name'
=>
'allowed'
,
'admin'
=>
'denied'
}
log
=
StringIO
.
new
@sanitizer
.
logger
=
Logger
.
new
(
log
)
@sanitizer
.
sanitize
(
original_attributes
,
@authorizer
)
@
logger_
sanitizer
.
logger
=
Logger
.
new
(
log
)
@
logger_
sanitizer
.
sanitize
(
original_attributes
,
@authorizer
)
assert_match
(
/admin/
,
log
.
string
,
"Should log removed attributes:
#{
log
.
string
}
"
)
end
test
"debug mass assignment removal with StrictSanitizer"
do
original_attributes
=
{
'first_name'
=>
'allowed'
,
'admin'
=>
'denied'
}
assert_raise
ActiveModel
::
MassAssignmentSecurity
::
Error
do
@strict_sanitizer
.
sanitize
(
original_attributes
,
@authorizer
)
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录