2010-12-15 22:34:19 +00:00
|
|
|
module Shoulda # :nodoc:
|
|
|
|
module Matchers
|
2011-05-06 11:51:12 +00:00
|
|
|
module ActiveModel # :nodoc:
|
2010-12-15 22:34:19 +00:00
|
|
|
|
|
|
|
# Ensures that the attribute can be set on mass update.
|
|
|
|
#
|
|
|
|
# it { should_not allow_mass_assignment_of(:password) }
|
|
|
|
# it { should allow_mass_assignment_of(:first_name) }
|
|
|
|
#
|
|
|
|
def allow_mass_assignment_of(value)
|
|
|
|
AllowMassAssignmentOfMatcher.new(value)
|
|
|
|
end
|
|
|
|
|
|
|
|
class AllowMassAssignmentOfMatcher # :nodoc:
|
|
|
|
|
|
|
|
def initialize(attribute)
|
|
|
|
@attribute = attribute.to_s
|
|
|
|
end
|
|
|
|
|
|
|
|
def matches?(subject)
|
|
|
|
@subject = subject
|
|
|
|
if attr_mass_assignable?
|
|
|
|
if whitelisting?
|
|
|
|
@negative_failure_message = "#{@attribute} was made accessible"
|
|
|
|
else
|
|
|
|
if protected_attributes.empty?
|
|
|
|
@negative_failure_message = "no attributes were protected"
|
|
|
|
else
|
|
|
|
@negative_failure_message = "#{class_name} is protecting " <<
|
|
|
|
"#{protected_attributes.to_a.to_sentence}, " <<
|
|
|
|
"but not #{@attribute}."
|
|
|
|
end
|
|
|
|
end
|
|
|
|
true
|
|
|
|
else
|
|
|
|
if whitelisting?
|
|
|
|
@failure_message =
|
|
|
|
"Expected #{@attribute} to be accessible"
|
|
|
|
else
|
|
|
|
@failure_message =
|
|
|
|
"Did not expect #{@attribute} to be protected"
|
|
|
|
end
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
attr_reader :failure_message, :negative_failure_message
|
|
|
|
|
|
|
|
def description
|
|
|
|
"allow mass assignment of #{@attribute}"
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def protected_attributes
|
|
|
|
@protected_attributes ||= (@subject.class.protected_attributes || [])
|
|
|
|
end
|
|
|
|
|
|
|
|
def accessible_attributes
|
|
|
|
@accessible_attributes ||= (@subject.class.accessible_attributes || [])
|
|
|
|
end
|
|
|
|
|
|
|
|
def whitelisting?
|
2011-06-03 10:30:14 +00:00
|
|
|
authorizer.kind_of?(::ActiveModel::MassAssignmentSecurity::WhiteList)
|
2010-12-15 22:34:19 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def attr_mass_assignable?
|
2011-06-03 10:30:14 +00:00
|
|
|
!authorizer.deny?(@attribute)
|
|
|
|
end
|
|
|
|
|
|
|
|
def authorizer
|
|
|
|
@subject.class.active_authorizer
|
2010-12-15 22:34:19 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def class_name
|
|
|
|
@subject.class.name
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|