ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method

In order to specify your own sanitize method Implemented .mass_assignment_sanitizer configuration option

ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method
In order to specify your own sanitize method Implemented .mass_assignment_sanitizer configuration option
aa2639e7 · Bogdan Gusiev · 96525d63 · aa2639e7 · aa2639e7 · aa2639e7
3 changed file
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -11,7 +11,13 @@ module MassAssignmentSecurity
      class_attribute :_accessible_attributes
      class_attribute :_protected_attributes
      class_attribute :_active_authorizer
-      class_attribute :mass_assignment_sanitizer
+
+      class_attribute :mass_assignment_sanitizer, :mass_assignment_sanitizers
+      self.mass_assignment_sanitizer = :logger
+      self.mass_assignment_sanitizers = {
+        :logger => LoggerSanitizer.new(self.respond_to?(:logger) && self.logger),
+        :strict => StrictSanitizer.new
+      }
    end

    # Mass assignment security provides an interface for protecting attributes
@@ -43,6 +49,16 @@ module MassAssignmentSecurity
    #
    #   end
    #
+    # = Configuration options
+    #
+    # * <tt>mass_assignment_sanitizer</tt> - Defines sanitize method. Possible values are:
+    #   * <tt>:logger</tt> (default) - writes filtered attributes to logger
+    #   * <tt>:strict</tt> - raise <tt>ActiveModel::MassAssignmentSecurity::Error</tt> on any protected attribute update
+    #
+    # You can specify your own sanitizer object eg. MySanitizer.new.
+    # See <tt>ActiveModel::MassAssignmentSecurity::LoggerSanitizer</tt> for example implementation.
+    #
+    # 
    module ClassMethods
      # Attributes named in this macro are protected from mass-assignment
      # whenever attributes are sanitized before assignment. A role for the
@@ -199,11 +215,13 @@ def accessible_attributes_configs
  protected

    def sanitize_for_mass_assignment(attributes, role = :default)
-      (mass_assignment_sanitizer || default_mass_assignment_sanitizer).sanitize(attributes, mass_assignment_authorizer(role))
-    end
-
-    def default_mass_assignment_sanitizer
-      DefaultSanitizer.new(self.respond_to?(:logger) && self.logger)
+      sanitizer = case mass_assignment_sanitizer
+                  when Symbol
+                    self.mass_assignment_sanitizers[mass_assignment_sanitizer]
+                  else
+                    mass_assignment_sanitizer
+                  end
+      sanitizer.sanitize(attributes, mass_assignment_authorizer(role))
    end

    def mass_assignment_authorizer(role = :default)

--- a/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
+++ b/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb
@@ -20,7 +20,7 @@ def process_removed_attributes(attrs)
      end

    end
-    class DefaultSanitizer < Sanitizer
+    class LoggerSanitizer < Sanitizer

      attr_accessor :logger

@@ -33,5 +33,15 @@ def process_removed_attributes(attrs)
        self.logger.debug "WARNING: Can't mass-assign protected attributes: #{attrs.join(', ')}" if self.logger
      end
    end
+
+    class StrictSanitizer < Sanitizer
+      def process_removed_attributes(attrs)
+        raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"
+      end
+    end
+
+    class Error < StandardError
+    end
+
  end
 end
--- a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
+++ b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb
@@ -12,24 +12,32 @@ def deny?(key)
  end

  def setup
-    @sanitizer = ActiveModel::MassAssignmentSecurity::DefaultSanitizer.new
+    @logger_sanitizer = ActiveModel::MassAssignmentSecurity::LoggerSanitizer.new
+    @strict_sanitizer = ActiveModel::MassAssignmentSecurity::StrictSanitizer.new
    @authorizer = Authorizer.new
  end

  test "sanitize attributes" do
    original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
-    attributes = @sanitizer.sanitize(original_attributes, @authorizer)
+    attributes = @logger_sanitizer.sanitize(original_attributes, @authorizer)

    assert attributes.key?('first_name'), "Allowed key shouldn't be rejected"
    assert !attributes.key?('admin'),     "Denied key should be rejected"
  end

-  test "debug mass assignment removal" do
+  test "debug mass assignment removal with LoggerSanitizer" do
    original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
    log = StringIO.new
-    @sanitizer.logger = Logger.new(log)
-    @sanitizer.sanitize(original_attributes, @authorizer)
+    @logger_sanitizer.logger = Logger.new(log)
+    @logger_sanitizer.sanitize(original_attributes, @authorizer)
    assert_match(/admin/, log.string, "Should log removed attributes: #{log.string}")
  end

+  test "debug mass assignment removal with StrictSanitizer" do
+    original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
+    assert_raise ActiveModel::MassAssignmentSecurity::Error do
+      @strict_sanitizer.sanitize(original_attributes, @authorizer)
+    end
+  end
+
 end