kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
rails--rails/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb

50 lines
1.7 KiB
Ruby
Raw Blame History

require "cases/helper"
require 'active_support/logger'
class SanitizerTest < ActiveModel::TestCase
attr_accessor :logger
class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet
def deny?(key)
['admin', 'id'].include?(key)
end
end
def setup
@logger_sanitizer = ActiveModel::MassAssignmentSecurity::LoggerSanitizer.new(self)
@strict_sanitizer = ActiveModel::MassAssignmentSecurity::StrictSanitizer.new(self)
@authorizer = Authorizer.new
end
test "sanitize attributes" do
original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
attributes = @logger_sanitizer.sanitize(self.class, original_attributes, @authorizer)
assert attributes.key?('first_name'), "Allowed key shouldn't be rejected"
assert !attributes.key?('admin'), "Denied key should be rejected"
end
test "debug mass assignment removal with LoggerSanitizer" do
original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
log = StringIO.new
self.logger = ActiveSupport::Logger.new(log)
@logger_sanitizer.sanitize(self.class, original_attributes, @authorizer)
assert_match(/admin/, log.string, "Should log removed attributes: #{log.string}")
end
test "debug mass assignment removal with StrictSanitizer" do
original_attributes = { 'first_name' => 'allowed', 'admin' => 'denied' }
assert_raise ActiveModel::MassAssignmentSecurity::Error do
@strict_sanitizer.sanitize(self.class, original_attributes, @authorizer)
end
end
test "mass assignment insensitive attributes" do
original_attributes = {'id' => 1, 'first_name' => 'allowed'}
assert_nothing_raised do
@strict_sanitizer.sanitize(self.class, original_attributes, @authorizer)
end
end
end
View git blame Copy permalink