TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Whitelist all attribute assignment by default.

Browse Source 
Change the default for newly generated applications to whitelist all attribute assignment.  Also update the generated model classes so users are reminded of the importance of attr_accessible.
This commit is contained in:
Michael Koziarski 2012-03-05 11:12:01 +13:00
parent c8f6025fd3
commit 641a4f6240
4 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
activerecord/lib/rails/generators/active_record/model/model_generator.rb
View File

@ -30,6 +30,10 @@ def attributes_with_index
attributes.select { |a| a.has_index? || (a.reference? && options[:indexes]) }
end
def accessible_attributes
attributes.reject(&:reference?)
end
hook_for :test_framework
protected

5
activerecord/lib/rails/generators/active_record/model/templates/model.rb
View File

@ -3,5 +3,10 @@ class <%= class_name %> < <%= parent_class_name.classify %>
<% attributes.select {|attr| attr.reference? }.each do |attribute| -%>
belongs_to :<%= attribute.name %>
<% end -%>
<% if !accessible_attributes.empty? -%>
attr_accessible <%= accessible_attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>
<% else -%>
# attr_accessible :title, :body
<% end -%>
end
<% end -%>

2
railties/lib/rails/generators/rails/app/templates/config/application.rb
View File

@ -54,7 +54,7 @@ class Application < Rails::Application
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
# config.active_record.whitelist_attributes = true
config.active_record.whitelist_attributes = true
# Specifies wether or not has_many or has_one association option :dependent => :restrict raises
# an exception. If set to true, then an ActiveRecord::DeleteRestrictionError exception would be

10
railties/test/generators/model_generator_test.rb
View File

@ -317,4 +317,14 @@ def test_index_is_skipped_for_references_association
end
end
end
def test_attr_accessible_added_with_non_reference_attributes
run_generator
assert_file 'app/models/account.rb', /attr_accessible :age, :name/
end
def test_attr_accessible_added_with_comments_when_no_attributes_present
run_generator ["Account"]
assert_file 'app/models/account.rb', /# attr_accessible :title, :body/
end
end