rails--rails/activemodel/lib/active_model/mass_assignment_security/sanitizer.rb

require 'active_support/core_ext/module/delegation'

module ActiveModel
  module MassAssignmentSecurity
    class Sanitizer
      def initialize(target=nil)
      end

      # Returns all attributes not denied by the authorizer.
      def sanitize(attributes, authorizer)
        sanitized_attributes = attributes.reject { |key, value| authorizer.deny?(key) }
        debug_protected_attribute_removal(attributes, sanitized_attributes)
        sanitized_attributes
      end

    protected

      def debug_protected_attribute_removal(attributes, sanitized_attributes)
        removed_keys = attributes.keys - sanitized_attributes.keys
        process_removed_attributes(removed_keys) if removed_keys.any?
      end

      def process_removed_attributes(attrs)
        raise NotImplementedError, "#process_removed_attributes(attrs) suppose to be overwritten"
      end
    end

    class LoggerSanitizer < Sanitizer
      delegate :logger, :to => :@target

      def initialize(target)
        @target = target
        super
      end

      def logger?
        @target.respond_to?(:logger) && @target.logger
      end

      def process_removed_attributes(attrs)
        logger.debug "WARNING: Can't mass-assign protected attributes: #{attrs.join(', ')}" if logger?
      end
    end

    class StrictSanitizer < Sanitizer
      def process_removed_attributes(attrs)
        return if (attrs - insensitive_attributes).empty?
        raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"
      end

      def insensitive_attributes
        ['id']
      end
    end

    class Error < StandardError
    end
  end
end
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00			`require 'active_support/core_ext/module/delegation'`

mass_assignment_security moved from AR to AMo, and minor test cleanup Signed-off-by: José Valim <jose.valim@gmail.com> 2010-07-08 12:16:36 -04:00			`module ActiveModel`
Mass assignment security refactoring Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-29 20:02:12 -05:00			`module MassAssignmentSecurity`
MassAssignmentSecurity: add ability to specify your own sanitizer Added an ability to specify your own behavior on mass assingment protection, controlled by option: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer 2011-05-26 08:58:43 -04:00			`class Sanitizer`
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00			`def initialize(target=nil)`
			`end`

Mass assignment security refactoring Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-29 20:02:12 -05:00			`# Returns all attributes not denied by the authorizer.`
MassAssignmentSecurity: add ability to specify your own sanitizer Added an ability to specify your own behavior on mass assingment protection, controlled by option: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer 2011-05-26 08:58:43 -04:00			`def sanitize(attributes, authorizer)`
			`sanitized_attributes = attributes.reject { \|key, value\| authorizer.deny?(key) }`
Change documentation for ActiveModel::MassAssignmentSecurity a bit and make debug always be called since some people may overwrite warn! to add extra behavior even if logger is not available. 2010-07-08 13:02:34 -04:00			`debug_protected_attribute_removal(attributes, sanitized_attributes)`
Mass assignment security refactoring Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-29 20:02:12 -05:00			`sanitized_attributes`
			`end`

Change documentation for ActiveModel::MassAssignmentSecurity a bit and make debug always be called since some people may overwrite warn! to add extra behavior even if logger is not available. 2010-07-08 13:02:34 -04:00			`protected`
Mass assignment security refactoring Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-29 20:02:12 -05:00
Change documentation for ActiveModel::MassAssignmentSecurity a bit and make debug always be called since some people may overwrite warn! to add extra behavior even if logger is not available. 2010-07-08 13:02:34 -04:00			`def debug_protected_attribute_removal(attributes, sanitized_attributes)`
			`removed_keys = attributes.keys - sanitized_attributes.keys`
MassAssignmentSecurity: add ability to specify your own sanitizer Added an ability to specify your own behavior on mass assingment protection, controlled by option: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer 2011-05-26 08:58:43 -04:00			`process_removed_attributes(removed_keys) if removed_keys.any?`
Change documentation for ActiveModel::MassAssignmentSecurity a bit and make debug always be called since some people may overwrite warn! to add extra behavior even if logger is not available. 2010-07-08 13:02:34 -04:00			`end`
Remove trailing whitespaces 2011-06-12 11:31:21 -04:00
MassAssignmentSecurity: add ability to specify your own sanitizer Added an ability to specify your own behavior on mass assingment protection, controlled by option: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer 2011-05-26 08:58:43 -04:00			`def process_removed_attributes(attrs)`
			`raise NotImplementedError, "#process_removed_attributes(attrs) suppose to be overwritten"`
			`end`
			`end`
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00
ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method In order to specify your own sanitize method Implemented .mass_assignment_sanitizer configuration option 2011-05-30 04:34:00 -04:00			`class LoggerSanitizer < Sanitizer`
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00			`delegate :logger, :to => :@target`
minor changes to mass assignment security patch to bring it in line with rails standards Signed-off-by: José Valim <jose.valim@gmail.com> 2010-07-07 11:05:42 -04:00
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00			`def initialize(target)`
			`@target = target`
			`super`
			`end`
MassAssignmentSecurity: add ability to specify your own sanitizer Added an ability to specify your own behavior on mass assingment protection, controlled by option: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer 2011-05-26 08:58:43 -04:00
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00			`def logger?`
			`@target.respond_to?(:logger) && @target.logger`
MassAssignmentSecurity: add ability to specify your own sanitizer Added an ability to specify your own behavior on mass assingment protection, controlled by option: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer 2011-05-26 08:58:43 -04:00			`end`
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00
MassAssignmentSecurity: add ability to specify your own sanitizer Added an ability to specify your own behavior on mass assingment protection, controlled by option: ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer 2011-05-26 08:58:43 -04:00			`def process_removed_attributes(attrs)`
Transform the symbol into a constant lookup. 2011-05-31 06:24:30 -04:00			`logger.debug "WARNING: Can't mass-assign protected attributes: #{attrs.join(', ')}" if logger?`
Change documentation for ActiveModel::MassAssignmentSecurity a bit and make debug always be called since some people may overwrite warn! to add extra behavior even if logger is not available. 2010-07-08 13:02:34 -04:00			`end`
Mass assignment security refactoring Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-29 20:02:12 -05:00			`end`
ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method In order to specify your own sanitize method Implemented .mass_assignment_sanitizer configuration option 2011-05-30 04:34:00 -04:00
			`class StrictSanitizer < Sanitizer`
			`def process_removed_attributes(attrs)`
MassAssignmentProtection: consider 'id' insensetive in StrictSanitizer In order to use StrictSanitizer in test mode Consider :id as not sensetive attribute that can be filtered from mass assignement without exception. 2011-07-28 04:56:08 -04:00			`return if (attrs - insensitive_attributes).empty?`
ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method In order to specify your own sanitize method Implemented .mass_assignment_sanitizer configuration option 2011-05-30 04:34:00 -04:00			`raise ActiveModel::MassAssignmentSecurity::Error, "Can't mass-assign protected attributes: #{attrs.join(', ')}"`
			`end`
MassAssignmentProtection: consider 'id' insensetive in StrictSanitizer In order to use StrictSanitizer in test mode Consider :id as not sensetive attribute that can be filtered from mass assignement without exception. 2011-07-28 04:56:08 -04:00
			`def insensitive_attributes`
			`['id']`
			`end`
ActiveModel::MassAssignmentSecurity.mass_assignment_sanitizer method In order to specify your own sanitize method Implemented .mass_assignment_sanitizer configuration option 2011-05-30 04:34:00 -04:00			`end`

			`class Error < StandardError`
			`end`
Mass assignment security refactoring Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-29 20:02:12 -05:00			`end`
			`end`