Fix config.active_record.whitelist_attributes with AR::Model

a205bf87 · Jon Leighton · e030f26a · a205bf87 · a205bf87 · a205bf87
4 changed file
--- a/activerecord/lib/active_record/attribute_assignment.rb
+++ b/activerecord/lib/active_record/attribute_assignment.rb
 require 'active_support/concern'

 module ActiveRecord
+  ActiveSupport.on_load(:active_record_config) do
+    mattr_accessor :whitelist_attributes, instance_accessor: false
+  end
+
  module AttributeAssignment
    extend ActiveSupport::Concern
    include ActiveModel::MassAssignmentSecurity

+    included do
+      attr_accessible(nil) if Model.whitelist_attributes
+    end
+
    module ClassMethods
+      def inherited(child) # :nodoc:
+        child.attr_accessible(nil) if Model.whitelist_attributes
+        super
+      end
+
      private

      # The primary key and inheritance column can never be set by mass-assignment for security reasons.

--- a/activerecord/lib/active_record/railtie.rb
+++ b/activerecord/lib/active_record/railtie.rb
@@ -68,9 +68,6 @@ class Railtie < Rails::Railtie

    initializer "active_record.set_configs" do |app|
      ActiveSupport.on_load(:active_record) do
-        if app.config.active_record.delete(:whitelist_attributes)
-          attr_accessible(nil)
-        end
        app.config.active_record.each do |k,v|
          send "#{k}=", v
        end

--- a/activerecord/test/cases/mass_assignment_security_test.rb
+++ b/activerecord/test/cases/mass_assignment_security_test.rb
@@ -251,6 +251,33 @@ def test_protection_against_class_attribute_writers
      assert !Task.new.respond_to?("#{method}=")
    end
  end
+
+  test "ActiveRecord::Model.whitelist_attributes works for models which include Model" do
+    begin
+      prev, ActiveRecord::Model.whitelist_attributes = ActiveRecord::Model.whitelist_attributes, true
+
+      klass = Class.new { include ActiveRecord::Model }
+      assert_equal ActiveModel::MassAssignmentSecurity::WhiteList, klass.active_authorizers[:default].class
+      assert_equal [], klass.active_authorizers[:default].to_a
+    ensure
+      ActiveRecord::Model.whitelist_attributes = prev
+    end
+  end
+
+  test "ActiveRecord::Model.whitelist_attributes works for models which inherit Base" do
+    begin
+      prev, ActiveRecord::Model.whitelist_attributes = ActiveRecord::Model.whitelist_attributes, true
+
+      klass = Class.new(ActiveRecord::Base)
+      assert_equal ActiveModel::MassAssignmentSecurity::WhiteList, klass.active_authorizers[:default].class
+      assert_equal [], klass.active_authorizers[:default].to_a
+
+      klass.attr_accessible 'foo'
+      assert_equal ['foo'], Class.new(klass).active_authorizers[:default].to_a
+    ensure
+      ActiveRecord::Model.whitelist_attributes = prev
+    end
+  end
 end



--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -374,9 +374,10 @@ def index

      require "#{app_path}/config/environment"

-      assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
-                   ActiveRecord::Base.active_authorizers[:default].class
-      assert_equal [], ActiveRecord::Base.active_authorizers[:default].to_a
+      klass = Class.new(ActiveRecord::Base)
+
+      assert_equal ActiveModel::MassAssignmentSecurity::WhiteList, klass.active_authorizers[:default].class
+      assert_equal [], klass.active_authorizers[:default].to_a
    end

    test "registers interceptors with ActionMailer" do