2013-03-13 12:37:54 -04:00
|
|
|
module Devise
|
2013-04-10 11:33:50 -04:00
|
|
|
class BaseSanitizer
|
2013-04-14 02:21:46 -04:00
|
|
|
attr_reader :params, :resource_name, :resource_class
|
2013-03-13 12:37:54 -04:00
|
|
|
|
2013-04-14 02:21:46 -04:00
|
|
|
def initialize(resource_class, resource_name, params)
|
|
|
|
|
@resource_class = resource_class
|
|
|
|
|
@resource_name = resource_name
|
|
|
|
|
@params = params
|
|
|
|
|
@blocks = Hash.new
|
2013-04-10 11:33:50 -04:00
|
|
|
end
|
|
|
|
|
|
2013-04-14 02:21:46 -04:00
|
|
|
def for(kind, &block)
|
|
|
|
|
if block_given?
|
|
|
|
|
@blocks[kind] = block
|
|
|
|
|
else
|
2013-08-11 16:18:29 -04:00
|
|
|
default_for(kind)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def sanitize(kind)
|
|
|
|
|
if block = @blocks[kind]
|
|
|
|
|
block.call(default_params)
|
|
|
|
|
else
|
2013-08-12 09:36:29 -04:00
|
|
|
default_sanitize(kind)
|
2013-04-14 02:21:46 -04:00
|
|
|
end
|
2013-04-10 11:33:50 -04:00
|
|
|
end
|
|
|
|
|
|
2013-04-14 02:21:46 -04:00
|
|
|
private
|
|
|
|
|
|
2013-08-11 16:18:29 -04:00
|
|
|
def default_for(kind)
|
2013-08-12 09:36:29 -04:00
|
|
|
raise ArgumentError, "a block is expected in Devise base sanitizer"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def default_sanitize(kind)
|
2013-04-10 11:33:50 -04:00
|
|
|
default_params
|
|
|
|
|
end
|
2013-04-14 02:21:46 -04:00
|
|
|
|
|
|
|
|
def default_params
|
|
|
|
|
params.fetch(resource_name, {})
|
|
|
|
|
end
|
2013-04-10 11:33:50 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
class ParameterSanitizer < BaseSanitizer
|
2013-08-11 16:18:29 -04:00
|
|
|
def initialize(*)
|
|
|
|
|
super
|
|
|
|
|
@permitted = Hash.new { |h,k| h[k] = attributes_for(k) }
|
|
|
|
|
end
|
2013-08-11 14:47:18 -04:00
|
|
|
|
2013-08-11 16:18:29 -04:00
|
|
|
def sign_in
|
2013-10-31 09:38:30 -04:00
|
|
|
permit self.for(:sign_in)
|
2013-08-11 16:18:29 -04:00
|
|
|
end
|
2013-08-11 14:47:18 -04:00
|
|
|
|
2013-08-11 16:18:29 -04:00
|
|
|
def sign_up
|
2013-10-31 09:38:30 -04:00
|
|
|
permit self.for(:sign_up)
|
2013-08-11 14:47:18 -04:00
|
|
|
end
|
|
|
|
|
|
2013-08-11 16:18:29 -04:00
|
|
|
def account_update
|
2013-10-31 09:38:30 -04:00
|
|
|
permit self.for(:account_update)
|
2013-08-11 14:47:18 -04:00
|
|
|
end
|
|
|
|
|
|
2013-04-14 02:21:46 -04:00
|
|
|
private
|
2013-04-10 11:33:50 -04:00
|
|
|
|
2013-10-31 09:39:52 -04:00
|
|
|
# TODO: We do need to flatten so it works with strong_parameters
|
|
|
|
|
# gem. We should drop it once we move to Rails 4 only support.
|
2013-10-31 09:38:30 -04:00
|
|
|
def permit(keys)
|
|
|
|
|
default_params.permit(*Array(keys))
|
|
|
|
|
end
|
|
|
|
|
|
2013-08-11 16:18:29 -04:00
|
|
|
# Change for(kind) to return the values in the @permitted
|
|
|
|
|
# hash, allowing the developer to customize at runtime.
|
|
|
|
|
def default_for(kind)
|
|
|
|
|
@permitted[kind] || raise("No sanitizer provided for #{kind}")
|
|
|
|
|
end
|
|
|
|
|
|
2013-08-12 09:36:29 -04:00
|
|
|
def default_sanitize(kind)
|
|
|
|
|
if respond_to?(kind, true)
|
|
|
|
|
send(kind)
|
|
|
|
|
else
|
|
|
|
|
raise NotImplementedError, "Devise doesn't know how to sanitize parameters for #{kind}"
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2013-08-11 16:18:29 -04:00
|
|
|
def attributes_for(kind)
|
|
|
|
|
case kind
|
|
|
|
|
when :sign_in
|
|
|
|
|
auth_keys + [:password, :remember_me]
|
|
|
|
|
when :sign_up
|
|
|
|
|
auth_keys + [:password, :password_confirmation]
|
|
|
|
|
when :account_update
|
|
|
|
|
auth_keys + [:password, :password_confirmation, :current_password]
|
2013-04-14 02:21:46 -04:00
|
|
|
end
|
2013-03-13 12:37:54 -04:00
|
|
|
end
|
|
|
|
|
|
2013-08-11 16:18:29 -04:00
|
|
|
def auth_keys
|
|
|
|
|
@auth_keys ||= @resource_class.authentication_keys.respond_to?(:keys) ?
|
|
|
|
|
@resource_class.authentication_keys.keys : @resource_class.authentication_keys
|
|
|
|
|
end
|
2013-03-13 12:37:54 -04:00
|
|
|
end
|
|
|
|
|
end
|
