Module: Recliner::AttributeMethods::Protected::ClassMethods

Defined in:

lib/recliner/attribute_methods/protected.rb

Instance Method Summary

• #accessible_attributes ⇒ Object

  Returns an array of all the attributes that have been made accessible to mass-assignment.

• #attr_accessible(*attrs) ⇒ Object

  Specifies a white list of model attributes that can be set via mass-assignment, such as new(attributes), update_attributes(attributes), or attributes=(attributes).

• #attr_protected(*attrs) ⇒ Object

  Attributes named in this macro are protected from mass-assignment, such as new(attributes), update_attributes(attributes), or attributes=(attributes).

• #property(name, *args, &block) ⇒ Object

  :nodoc:.

• #protected_attributes ⇒ Object

  Returns an array of all the attributes that have been protected from mass-assignment.

Instance Method Details

#accessible_attributes ⇒ Object

Returns an array of all the attributes that have been made accessible to mass-assignment.

# File 'lib/recliner/attribute_methods/protected.rb', line 108

def accessible_attributes
  read_inheritable_attribute(:attr_accessible) || []
end

#attr_accessible(*attrs) ⇒ Object

Specifies a white list of model attributes that can be set via mass-assignment, such as new(attributes), update_attributes(attributes), or attributes=(attributes)

This is the opposite of the attr_protected macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected.

class Customer < Recliner::Document
  attr_accessible :name, :nickname
end

customer = Customer.new(:name => "David", :nickname => "Dave", :credit_rating => "Excellent")
customer.credit_rating # => nil
customer.attributes = { :name => "Jolly fellow", :credit_rating => "Superb" }
customer.credit_rating # => nil

customer.credit_rating = "Average"
customer.credit_rating # => "Average"

If the access logic of your application is richer you can use Hash#except or Hash#slice to sanitize the hash of parameters before they are passed to Recliner.

For example, it could be the case that the list of accessible attributes for a given model depends on the role of the user:

# Assumes plan_id is accessible because it depends on the role.
params[:account] = params[:account].except(:plan_id) unless admin?
@account.update_attributes(params[:account])

Note that attr_accessible is still applied to the received hash. Thus, with this technique you can at most narrow the list of accessible attributes for a particular mass-assignment call.

# File 'lib/recliner/attribute_methods/protected.rb', line 98

def attr_accessible(*attrs)
  write_inheritable_attribute(:attr_accessible, attrs.map { |a| a.to_s } + accessible_attributes)
end

#attr_protected(*attrs) ⇒ Object

Attributes named in this macro are protected from mass-assignment, such as new(attributes), update_attributes(attributes), or attributes=(attributes).

Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.

class Customer < Recliner::Document
  attr_protected :credit_rating
end

customer = Customer.new("name" => David, "credit_rating" => "Excellent")
customer.credit_rating # => nil
customer.attributes = { "description" => "Jolly fellow", "credit_rating" => "Superb" }
customer.credit_rating # => nil

customer.credit_rating = "Average"
customer.credit_rating # => "Average"

To start from an all-closed default and enable attributes as needed, have a look at attr_accessible.

If the access logic of your application is richer you can use Hash#except or Hash#slice to sanitize the hash of parameters before they are passed to Recliner.

For example, it could be the case that the list of protected attributes for a given model depends on the role of the user:

# Assumes plan_id is not protected because it depends on the role.
params[:account] = params[:account].except(:plan_id) unless admin?
@account.update_attributes(params[:account])

Note that attr_protected is still applied to the received hash. Thus, with this technique you can at most extend the list of protected attributes for a particular mass-assignment call.

# File 'lib/recliner/attribute_methods/protected.rb', line 55

def attr_protected(*attrs)
  write_inheritable_attribute(:attr_protected, attrs.map { |a| a.to_s } + protected_attributes)
end

#property(name, *args, &block) ⇒ Object

:nodoc:

# File 'lib/recliner/attribute_methods/protected.rb', line 7

def property(name, *args, &block)#:nodoc:
  options = args.extract_options!
  
  super(name, *args << options, &block)
  
  attr_protected(name) if options[:protected]
  attr_accessible(name) if options[:accessible]
end

#protected_attributes ⇒ Object

Returns an array of all the attributes that have been protected from mass-assignment.

# File 'lib/recliner/attribute_methods/protected.rb', line 103

def protected_attributes
  read_inheritable_attribute(:attr_protected) || []
end