protected_attributes 1.0.8 → 1.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 36faf1653ed8ee17a3e6b1ae5bccb2ba3bd0b546
-  data.tar.gz: 614f266410d2a0885bd6d496927cdc5c0e4c9ae3
+  metadata.gz: 07a8c210afe27e08b760e2f61b86a60c6980ec1a
+  data.tar.gz: cb8ef9666fc6b0a73161f1d06a0cfd097edfc7cd
 SHA512:
-  metadata.gz: a775497367e9893d23a26983ec37e8c2110a79e13e3a215a94785f18d43e215d5e42ce176325fd5c09ac8a65b771a35630f377536e05b0712c62cf52f73a7818
-  data.tar.gz: cb338465c2fa0f8d37e491f21e411cd195c7d3a875a8d700477c47ab22a17b0687f0ba527da278d1b314707188ea0ddb2197bfcad8d934d28f9fb50f9b7d7b6a
+  metadata.gz: c6c29a159034c283fd0e77c2b5ddf1469655bce17916e801668d01e8e104c6e4142621c01c75966f0333413c0d7e7179b8c22aa4bf8a03966f0a71334850316b
+  data.tar.gz: d9e314e1e6b925ba6a34fb68b813999c1ffa00d29e4b32ca59eb8f523e35102d5c3098606410ae5cd702756737a1f0bacfa3d3e6b2d6ac01c1388c1bd42df771

data/README.md

@@ -1,11 +1,13 @@
 # ProtectedAttributes
 
-[![Build Status](https://travis-ci.org/rails/protected_attributes.png)](https://travis-ci.org/rails/protected_attributes)
+[![Build Status](https://api.travis-ci.org/rails/protected_attributes.svg?branch=master)](https://travis-ci.org/rails/protected_attributes)
 
 Protect attributes from mass-assignment in ActiveRecord models.
 
 This plugin adds `attr_accessible` and `attr_protected` in your models.
 
+Note: This plugin will be officially supported until the release of Rails 5.0
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -105,6 +107,18 @@ class AccountsController < ApplicationController
   end
 end
 ```
+
+### Errors
+
+By default, errors will not be raised if the user passes attributes in the params hash which are not allowed to be updated.
+If you want the functionality where exceptions (`ActiveModel::MassAssignmentSecurity::Error`) are raised.  Add to your config
+the strict flag:
+
+```ruby
+config.active_record.mass_assignment_sanitizer = :strict
+```
+
+
 ## Contributing
 
 1. Fork it

data/lib/active_model/mass_assignment_security.rb

@@ -206,7 +206,7 @@ module ActiveModel
       #   end
       #
       #   Customer.protected_attributes
-      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count"}>
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count"}>
       #
       #   Customer.protected_attributes(:default)
       #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count"}>
@@ -255,10 +255,10 @@ module ActiveModel
       #   end
       #
       #   Customer.active_authorizers
-      #   # => {
+      #   # => {
       #   #       :admin=> #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name", "credit_rating"}>,
       #   #       :default=>#<ActiveModel::MassAssignmentSecurity::WhiteList: {"name"}>
-      #   #    }
+      #   #    }
       def active_authorizers
         self._active_authorizer ||= protected_attributes_configs
       end

data/lib/active_model/mass_assignment_security/sanitizer.rb

@@ -33,7 +33,7 @@ module ActiveModel
       end
 
       def backtrace
-        if defined? Rails
+        if defined? Rails.backtrace_cleaner
           Rails.backtrace_cleaner.clean(caller)
         else
           caller

data/lib/active_record/mass_assignment_security/associations.rb

@@ -65,6 +65,22 @@ module ActiveRecord
       end
     end
 
+    module ThroughAssociation
+
+      private
+
+        def build_record(attributes, options={})
+          inverse = source_reflection.inverse_of
+          target = through_association.target
+
+          if inverse && target && !target.is_a?(Array)
+            attributes[inverse.foreign_key] = target.id
+          end
+
+          super(attributes, options)
+        end
+    end
+
     class HasManyThroughAssociation
       def build_record(attributes, options = {})
         ensure_not_nested

data/lib/active_record/mass_assignment_security/persistence.rb

@@ -57,7 +57,7 @@ module ActiveRecord
       # If no +:as+ option is supplied then the +:default+ role will be used.
       # If you want to bypass the forbidden attributes protection then you can do so using
       # the +:without_protection+ option.
-      def update_attributes(attributes, options = {})
+      def update(attributes, options = {})
         # The following transaction covers any possible database side-effects of the
         # attributes assignment. For example, setting the IDs of a child collection.
         with_transaction_returning_status do
@@ -65,10 +65,11 @@ module ActiveRecord
           save
         end
       end
+      alias :update_attributes :update
 
       # Updates its receiver just like +update_attributes+ but calls <tt>save!</tt> instead
       # of +save+, so an exception is raised if the record is invalid.
-      def update_attributes!(attributes, options = {})
+      def update!(attributes, options = {})
         # The following transaction covers any possible database side-effects of the
         # attributes assignment. For example, setting the IDs of a child collection.
         with_transaction_returning_status do
@@ -76,6 +77,7 @@ module ActiveRecord
           save!
         end
       end
+      alias :update_attributes! :update!
     end
   end
 end

data/lib/active_record/mass_assignment_security/reflection.rb

@@ -1,8 +1,16 @@
 module ActiveRecord
   module Reflection
-    class AssociationReflection
-      def build_association(*options, &block)
-        klass.new(*options, &block)
+    if defined?(AbstractReflection)
+      class AbstractReflection
+        def build_association(*options, &block)
+          klass.new(*options, &block)
+        end
+      end
+    else
+      class AssociationReflection
+        def build_association(*options, &block)
+          klass.new(*options, &block)
+        end
       end
     end
   end

data/lib/protected_attributes.rb

@@ -1,5 +1,5 @@
 require "active_model/mass_assignment_security"
-require "protected_attributes/railtie" if defined? Rails
+require "protected_attributes/railtie" if defined? Rails::Railtie
 require "protected_attributes/version"
 
 ActiveSupport.on_load :active_record do

data/lib/protected_attributes/railtie.rb

@@ -1,5 +1,3 @@
-require 'rails/railtie'
-
 module ProtectedAttributes
   class Railtie < ::Rails::Railtie
     config.before_configuration do |app|

data/lib/protected_attributes/version.rb

@@ -1,3 +1,3 @@
 module ProtectedAttributes
-  VERSION = "1.0.8"
+  VERSION = "1.0.9"
 end

data/test/ar_helper.rb

@@ -50,6 +50,7 @@ ActiveRecord::Schema.define do
   end
 
   create_table :pirates, :force => true do |t|
+    t.string :name
   end
 
   create_table :groups, :force => true do |t|

data/test/attribute_sanitization_test.rb

@@ -1,11 +1,18 @@
 require 'test_helper'
 require 'ar_helper'
 require 'active_record/mass_assignment_security'
+require 'models/battle'
 require 'models/company'
-require 'models/subscriber'
+require 'models/group'
 require 'models/keyboard'
-require 'models/task'
+require 'models/membership'
 require 'models/person'
+require 'models/pirate'
+require 'models/subscriber'
+require 'models/task'
+require 'models/team'
+require 'models/vampire'
+require 'models/wolf'
 
 module MassAssignmentTestHelpers
   def teardown
@@ -276,6 +283,86 @@ class AttributeSanitizationTest < ActiveSupport::TestCase
   def test_new_with_unrelated_inheritance_column_class
     assert_raise(ActiveRecord::SubclassNotFound) { Corporation.new(type: "Person") }
   end
+
+  def test_update_attributes_as_admin
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update_attributes({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :as => :admin)
+    person.reload
+
+    assert_equal 'Josh',    person.first_name
+    assert_equal 'm',       person.gender
+    assert_equal 'from NZ', person.comments
+  end
+
+  def test_update_attributes_without_protection
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update_attributes({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :without_protection => true)
+    person.reload
+
+    assert_equal 'Josh',    person.first_name
+    assert_equal 'm',       person.gender
+    assert_equal 'from NZ', person.comments
+  end
+
+  def test_update_attributes_with_bang_as_admin
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update_attributes!({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :as => :admin)
+    person.reload
+
+    assert_equal 'Josh', person.first_name
+    assert_equal 'm',    person.gender
+    assert_equal 'from NZ', person.comments
+  end
+
+  def test_update_attributes_with_bang_without_protection
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update_attributes!({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :without_protection => true)
+    person.reload
+
+    assert_equal 'Josh', person.first_name
+    assert_equal 'm',    person.gender
+    assert_equal 'from NZ', person.comments
+  end
+
+  def test_update_as_admin
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :as => :admin)
+    person.reload
+
+    assert_equal 'Josh',    person.first_name
+    assert_equal 'm',       person.gender
+    assert_equal 'from NZ', person.comments
+  end
+
+  def test_update_without_protection
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :without_protection => true)
+    person.reload
+
+    assert_equal 'Josh',    person.first_name
+    assert_equal 'm',       person.gender
+    assert_equal 'from NZ', person.comments
+  end
+
+  def test_update_with_bang_as_admin
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update!({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :as => :admin)
+    person.reload
+
+    assert_equal 'Josh', person.first_name
+    assert_equal 'm',    person.gender
+    assert_equal 'from NZ', person.comments
+  end
+
+  def test_update_with_bang_without_protection
+    person = TightPerson.create({ "first_name" => 'Joshua' })
+    person.update!({ "first_name" => 'Josh', "gender" => 'm', "comments" => 'from NZ' }, :without_protection => true)
+    person.reload
+
+    assert_equal 'Josh', person.first_name
+    assert_equal 'm',    person.gender
+    assert_equal 'from NZ', person.comments
+  end
 end
 
 
@@ -595,6 +682,12 @@ class MassAssignmentSecurityHasManyRelationsTest < ActiveSupport::TestCase
     end
   end
 
+  def test_has_many_through_build_with_attr_accessible_attributes
+    group = Group.create!
+    pirate = group.members.build(name: "Murphy")
+    assert_equal "Murphy", pirate.name
+  end
+
   # new
 
   def test_has_many_new_with_attr_protected_attributes
@@ -697,6 +790,24 @@ class MassAssignmentSecurityHasManyRelationsTest < ActiveSupport::TestCase
     end
   end
 
+  # concat
+
+  def test_concat_has_many_through_association_member
+    group = Group.create!
+    pirate = Pirate.create!
+    group.members << pirate
+    assert_equal pirate.memberships.first, group.memberships.first
+  end
+
+  def test_concat_has_many_through_polymorphic_association
+    team = Team.create!
+    vampire = Vampire.create!
+    wolf = Wolf.create!
+
+    team.vampire_battles << vampire
+    wolf.teams << team
+    assert_equal team.wolf_battles.first, wolf
+  end
 end
 
 

data/test/mass_assignment_security_test.rb

@@ -1,13 +1,6 @@
 require 'test_helper'
 require 'active_model/mass_assignment_security'
 require 'models/mass_assignment_specific'
-require 'models/pirate'
-require 'models/group'
-require 'models/membership'
-require 'models/battle'
-require 'models/vampire'
-require 'models/wolf'
-require 'models/team'
 
 class CustomSanitizer < ActiveModel::MassAssignmentSecurity::Sanitizer
 
@@ -122,21 +115,4 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase
   ensure
     User.mass_assignment_sanitizer = old_sanitizer
   end
-
-  def test_concat_has_many_through_association_member
-    group = Group.create!
-    pirate = Pirate.create!
-    group.members << pirate
-    assert_equal pirate.memberships.first, group.memberships.first
-  end
-
-  def test_concat_has_many_through_polymorphic_association
-    team = Team.create!
-    vampire = Vampire.create!
-    wolf = Wolf.create!
-
-    team.vampire_battles << vampire
-    wolf.teams << team
-    assert_equal team.wolf_battles.first, wolf
-  end
 end

data/test/models/pirate.rb

@@ -1,5 +1,5 @@
 class Pirate < ActiveRecord::Base
   self.mass_assignment_sanitizer = :strict
-
+  attr_accessible :name
   has_many :memberships
 end

data/test/test_helper.rb

@@ -1,3 +1,4 @@
 require 'bundler/setup'
 require 'minitest/autorun'
 require 'mocha/api'
+require 'rails'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: protected_attributes
 version: !ruby/object:Gem::Version
-  version: 1.0.8
+  version: 1.0.9
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-16 00:00:00.000000000 Z
+date: 2015-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -70,6 +70,26 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -167,7 +187,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Protect attributes from mass assignment in Active Record models