Skip to content

Whitelist params for build #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
CyborgMaster wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Whitelist params for build #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions lib/protector/adapters/active_record/association.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,20 @@ def scope_with_protector(*args)
# Forwards protection subject to the new instance
def build_record_with_protector(*args)
return build_record_without_protector(*args) unless protector_subject?

protector_permit_strong_params(args)
build_record_without_protector(*args).restrict!(protector_subject)
end

private

def protector_meta(subject=protector_subject)
klass.protector_meta.evaluate(subject)
end

def protector_permit_strong_params(args)
Protector::ActiveRecord::Adapters::StrongParameters.sanitize! args, true, protector_meta
end
end
end
end
Expand Down
4 changes: 1 addition & 3 deletions lib/protector/adapters/active_record/relation.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,9 +231,7 @@ def protector_expand_inclusion(inclusion, results=[], base=[], klass=@klass)

def protector_permit_strong_params(args)
# strong_parameters integration
if Protector.config.strong_parameters? && args.first.respond_to?(:permit)
Protector::ActiveRecord::Adapters::StrongParameters.sanitize! args, true, protector_meta
end
Protector::ActiveRecord::Adapters::StrongParameters.sanitize! args, true, protector_meta
end


Expand Down
5 changes: 2 additions & 3 deletions lib/protector/adapters/active_record/strong_parameters.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module ActiveRecord
module Adapters
module StrongParameters
def self.sanitize!(args, is_new, meta)
return unless Protector.config.strong_parameters? && args.first.respond_to?(:permit)
return if args[0].permitted?
if is_new
args[0] = args[0].permit(*meta.access[:create].keys) if meta.access.include? :create
Expand All @@ -16,9 +17,7 @@ def sanitize_for_mass_assignment(*args)
# We check only for updation here since the creation will be handled by relation
# (see Protector::Adapters::ActiveRecord::Relation#new_with_protector and
# Protector::Adapters::ActiveRecord::Relation#create_with_protector)
if Protector.config.strong_parameters? && args.first.respond_to?(:permit) \
&& !new_record? && protector_subject?

if !new_record? && protector_subject?
StrongParameters.sanitize! args, false, protector_meta
end

Expand Down