add allow_active_record_expects option to ActionWebService::API::Base,

but set the default to false so people don't use it without thinking about the consequences. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@815 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2022-11-09 12:12:34 -05:00 · 2005-02-28 22:42:24 +00:00 · 2005-02-28 22:42:24 +00:00 · 6b93952ae6
commit 6b93952ae6
parent 4ba8d08481
2 changed files with 11 additions and 1 deletions
--- a/actionwebservice/lib/action_web_service/api/base.rb
+++ b/actionwebservice/lib/action_web_service/api/base.rb
@ -13,6 +13,12 @@ module ActionWebService # :nodoc:
      # Whether to transform the public API method names into camel-cased names 
      class_inheritable_option :inflect_names, true

+      # Whether to allow ActiveRecord::Base models in <tt>:expects</tt>.
+      # The default is +false+, you should be aware of the security implications
+      # of allowing this, and ensure that you don't allow remote callers to
+      # easily overwrite data they should not have access to.
+      class_inheritable_option :allow_active_record_expects, false
+
      # If present, the name of a method to call when the remote caller
      # tried to call a nonexistent method. Semantically equivalent to
      # +method_missing+.
@ -64,7 +70,7 @@ module ActionWebService # :nodoc:
            expects.each do |param|
              klass = WS::BaseTypes.canonical_param_type_class(param)
              klass = klass[0] if klass.is_a?(Array)
-              if klass.ancestors.include?(ActiveRecord::Base)
+              if klass.ancestors.include?(ActiveRecord::Base) && !allow_active_record_expects
                raise(ActionWebServiceError, "ActiveRecord model classes not allowed in :expects")
              end
            end
--- a/actionwebservice/test/api_test.rb
+++ b/actionwebservice/test/api_test.rb
@ -56,6 +56,10 @@ class TC_API < Test::Unit::TestCase
        api_method :test, :expects => [ActiveRecord::Base]
      end
    end
+    klass = Class.new(ActionWebService::API::Base) do
+      allow_active_record_expects true
+      api_method :test2, :expects => [ActiveRecord::Base]
+    end
    assert_raises(ActionWebService::ActionWebServiceError) do
      klass = Class.new(ActionWebService::API::Base) do
        api_method :test, :invalid => [:int]