mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
add allow_active_record_expects option to ActionWebService::API::Base,
but set the default to false so people don't use it without thinking about the consequences. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@815 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
This commit is contained in:
parent
4ba8d08481
commit
6b93952ae6
2 changed files with 11 additions and 1 deletions
|
@ -13,6 +13,12 @@ module ActionWebService # :nodoc:
|
|||
# Whether to transform the public API method names into camel-cased names
|
||||
class_inheritable_option :inflect_names, true
|
||||
|
||||
# Whether to allow ActiveRecord::Base models in <tt>:expects</tt>.
|
||||
# The default is +false+, you should be aware of the security implications
|
||||
# of allowing this, and ensure that you don't allow remote callers to
|
||||
# easily overwrite data they should not have access to.
|
||||
class_inheritable_option :allow_active_record_expects, false
|
||||
|
||||
# If present, the name of a method to call when the remote caller
|
||||
# tried to call a nonexistent method. Semantically equivalent to
|
||||
# +method_missing+.
|
||||
|
@ -64,7 +70,7 @@ module ActionWebService # :nodoc:
|
|||
expects.each do |param|
|
||||
klass = WS::BaseTypes.canonical_param_type_class(param)
|
||||
klass = klass[0] if klass.is_a?(Array)
|
||||
if klass.ancestors.include?(ActiveRecord::Base)
|
||||
if klass.ancestors.include?(ActiveRecord::Base) && !allow_active_record_expects
|
||||
raise(ActionWebServiceError, "ActiveRecord model classes not allowed in :expects")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -56,6 +56,10 @@ class TC_API < Test::Unit::TestCase
|
|||
api_method :test, :expects => [ActiveRecord::Base]
|
||||
end
|
||||
end
|
||||
klass = Class.new(ActionWebService::API::Base) do
|
||||
allow_active_record_expects true
|
||||
api_method :test2, :expects => [ActiveRecord::Base]
|
||||
end
|
||||
assert_raises(ActionWebService::ActionWebServiceError) do
|
||||
klass = Class.new(ActionWebService::API::Base) do
|
||||
api_method :test, :invalid => [:int]
|
||||
|
|
Loading…
Reference in a new issue