Clean up Devise parameter sanitizer

2026-04-28 03:00:29 -04:00 · 2013-04-13 23:21:46 -07:00
parent f75352a373 d20fdf87b6
commit 8a93c34080
20 changed files with 162 additions and 73 deletions
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -6,12 +6,14 @@ require 'set'
 require 'securerandom'

 module Devise
-  autoload :Delegator,     'devise/delegator'
-  autoload :FailureApp,    'devise/failure_app'
-  autoload :OmniAuth,      'devise/omniauth'
-  autoload :ParamFilter,   'devise/param_filter'
-  autoload :TestHelpers,   'devise/test_helpers'
-  autoload :TimeInflector, 'devise/time_inflector'
+  autoload :Delegator,          'devise/delegator'
+  autoload :FailureApp,         'devise/failure_app'
+  autoload :OmniAuth,           'devise/omniauth'
+  autoload :ParamFilter,        'devise/param_filter'
+  autoload :BaseSanitizer,      'devise/parameter_sanitizer'
+  autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
+  autoload :TestHelpers,        'devise/test_helpers'
+  autoload :TimeInflector,      'devise/time_inflector'

  module Controllers
    autoload :Helpers, 'devise/controllers/helpers'
--- a/lib/devise/controllers/helpers.rb
+++ b/lib/devise/controllers/helpers.rb
@@ -80,6 +80,17 @@ module Devise
        is_a?(DeviseController)
      end

+      # Setup a param sanitizer to filter parameters using strong_parameters. See
+      # lib/devise/controllers/parameter_sanitizer.rb for more info. Override this
+      # method in your application controller to use your own parameter sanitizer.
+      def devise_parameter_sanitizer
+        @devise_parameter_sanitizer ||= if defined?(ActionController::StrongParameters)
+          Devise::ParameterSanitizer.new(resource_class, resource_name, params)
+        else
+          Devise::BaseSanitizer.new(resource_class, resource_name, params)
+        end
+      end
+
      # Tell warden that params authentication is allowed for that specific page.
      def allow_params_authentication!
        request.env["devise.allow_params_authentication"] = true
--- a/lib/devise/parameter_sanitizer.rb
+++ b/lib/devise/parameter_sanitizer.rb
@@ -0,0 +1,59 @@
+module Devise
+  class BaseSanitizer
+    attr_reader :params, :resource_name, :resource_class
+
+    def initialize(resource_class, resource_name, params)
+      @resource_class = resource_class
+      @resource_name  = resource_name
+      @params         = params
+      @blocks         = Hash.new
+    end
+
+    def for(kind, &block)
+      if block_given?
+        @blocks[kind] = block
+      else
+        block = @blocks[kind]
+        block ? block.call(default_params) : fallback_for(kind)
+      end
+    end
+
+    private
+
+    def fallback_for(kind)
+      default_params
+    end
+
+    def default_params
+      params.fetch(resource_name, {})
+    end
+  end
+
+  class ParameterSanitizer < BaseSanitizer
+    private
+
+    def fallback_for(kind)
+      if respond_to?(kind, true)
+        send(kind)
+      else
+        raise NotImplementedError, "Devise Parameter Sanitizer doesn't know how to sanitize parameters for #{kind}"
+      end
+    end
+
+    def sign_in
+      default_params.permit(auth_keys)
+    end
+
+    def sign_up
+      default_params.permit(auth_keys + [:password, :password_confirmation])
+    end
+
+    def account_update
+      default_params.permit(auth_keys + [:password, :password_confirmation, :current_password])
+    end
+
+    def auth_keys
+      resource_class.authentication_keys
+    end
+  end
+end
--- a/lib/generators/active_record/devise_generator.rb
+++ b/lib/generators/active_record/devise_generator.rb
@@ -22,10 +22,7 @@ module ActiveRecord
      end

      def inject_devise_content
-        content = model_contents + <<CONTENT
-  # Setup accessible (or protected) attributes for your model
-  attr_accessible :email, :password, :password_confirmation, :remember_me
-CONTENT
+        content = model_contents

        class_path = if namespaced?
          class_name.to_s.split("::")