Merge pull request #1839 from wildchild/3-1-stable

Allow to specify roles for mass-assignment as array
2026-04-26 03:00:59 -04:00 · 2011-06-23 18:34:06 -07:00
parent 03580e0fa3 79956db91c
commit c8ff12ca97
3 changed files with 34 additions and 5 deletions
--- a/activemodel/lib/active_model/mass_assignment_security.rb
+++ b/activemodel/lib/active_model/mass_assignment_security.rb
@@ -1,4 +1,5 @@
 require 'active_support/core_ext/class/attribute.rb'
+require 'active_support/core_ext/array/wrap'
 require 'active_model/mass_assignment_security/permission_set'

 module ActiveModel
@@ -95,8 +96,11 @@ module ActiveModel
        options = args.extract_options!
        role = options[:as] || :default

-        self._protected_attributes        = protected_attributes_configs.dup
-        self._protected_attributes[role] = self.protected_attributes(role) + args
+        self._protected_attributes = protected_attributes_configs.dup
+
+        Array.wrap(role).each do |name|
+          self._protected_attributes[name] = self.protected_attributes(name) + args
+        end

        self._active_authorizer = self._protected_attributes
      end
@@ -154,8 +158,11 @@ module ActiveModel
        options = args.extract_options!
        role = options[:as] || :default

-        self._accessible_attributes        = accessible_attributes_configs.dup
-        self._accessible_attributes[role] = self.accessible_attributes(role) + args
+        self._accessible_attributes = accessible_attributes_configs.dup
+
+        Array.wrap(role).each do |name|
+          self._accessible_attributes[name] = self.accessible_attributes(name) + args
+        end

        self._active_authorizer = self._accessible_attributes
      end
--- a/activemodel/test/cases/mass_assignment_security_test.rb
+++ b/activemodel/test/cases/mass_assignment_security_test.rb
@@ -34,6 +34,20 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase
    assert_equal expected, sanitized
  end

+  def test_attributes_accessible_with_roles_given_as_array
+    user = Account.new
+    expected = { "name" => "John Smith", "email" => "john@smith.com" }
+    sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true))
+    assert_equal expected, sanitized
+  end
+
+  def test_attributes_accessible_with_admin_role_when_roles_given_as_array
+    user = Account.new
+    expected = { "name" => "John Smith", "email" => "john@smith.com", "admin" => true }
+    sanitized = user.sanitize_for_mass_assignment(expected.merge("super_powers" => true), :admin)
+    assert_equal expected, sanitized
+  end
+
  def test_attributes_protected_by_default
    firm = Firm.new
    expected = { }
--- a/activemodel/test/models/mass_assignment_specific.rb
+++ b/activemodel/test/models/mass_assignment_specific.rb
@@ -20,6 +20,14 @@ class Person
  public :sanitize_for_mass_assignment
 end

+class Account
+  include ActiveModel::MassAssignmentSecurity
+  attr_accessible :name, :email, :as => [:default, :admin]
+  attr_accessible :admin, :as => :admin
+
+  public :sanitize_for_mass_assignment
+end
+
 class Firm
  include ActiveModel::MassAssignmentSecurity

@@ -65,4 +73,4 @@ end
 class TightDescendant < TightPerson
  attr_accessible :phone_number
  attr_accessible :super_powers, :as => :admin
-end
+end