Module: Recliner::AttributeMethods::Protected::ClassMethods
- Defined in:
- lib/recliner/attribute_methods/protected.rb
Instance Method Summary collapse
-
#accessible_attributes ⇒ Object
Returns an array of all the attributes that have been made accessible to mass-assignment.
-
#attr_accessible(*attrs) ⇒ Object
Specifies a white list of model attributes that can be set via mass-assignment, such as
new(attributes)
,update_attributes(attributes)
, orattributes=(attributes)
. -
#attr_protected(*attrs) ⇒ Object
Attributes named in this macro are protected from mass-assignment, such as
new(attributes)
,update_attributes(attributes)
, orattributes=(attributes)
. -
#property(name, *args, &block) ⇒ Object
:nodoc:.
-
#protected_attributes ⇒ Object
Returns an array of all the attributes that have been protected from mass-assignment.
Instance Method Details
#accessible_attributes ⇒ Object
Returns an array of all the attributes that have been made accessible to mass-assignment.
108 109 110 |
# File 'lib/recliner/attribute_methods/protected.rb', line 108 def accessible_attributes read_inheritable_attribute(:attr_accessible) || [] end |
#attr_accessible(*attrs) ⇒ Object
Specifies a white list of model attributes that can be set via mass-assignment, such as new(attributes)
, update_attributes(attributes)
, or attributes=(attributes)
This is the opposite of the attr_protected
macro: Mass-assignment will only set attributes in this list, to assign to the rest of attributes you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms. If you’d rather start from an all-open default and restrict attributes as needed, have a look at attr_protected
.
class Customer < Recliner::Document
attr_accessible :name, :nickname
end
customer = Customer.new(:name => "David", :nickname => "Dave", :credit_rating => "Excellent")
customer. # => nil
customer.attributes = { :name => "Jolly fellow", :credit_rating => "Superb" }
customer. # => nil
customer. = "Average"
customer. # => "Average"
If the access logic of your application is richer you can use Hash#except
or Hash#slice
to sanitize the hash of parameters before they are passed to Recliner.
For example, it could be the case that the list of accessible attributes for a given model depends on the role of the user:
# Assumes plan_id is accessible because it depends on the role.
params[:account] = params[:account].except(:plan_id) unless admin?
@account.update_attributes(params[:account])
Note that attr_accessible
is still applied to the received hash. Thus, with this technique you can at most narrow the list of accessible attributes for a particular mass-assignment call.
98 99 100 |
# File 'lib/recliner/attribute_methods/protected.rb', line 98 def attr_accessible(*attrs) write_inheritable_attribute(:attr_accessible, attrs.map { |a| a.to_s } + accessible_attributes) end |
#attr_protected(*attrs) ⇒ Object
Attributes named in this macro are protected from mass-assignment, such as new(attributes)
, update_attributes(attributes)
, or attributes=(attributes)
.
Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.
class Customer < Recliner::Document
attr_protected :credit_rating
end
customer = Customer.new("name" => David, "credit_rating" => "Excellent")
customer. # => nil
customer.attributes = { "description" => "Jolly fellow", "credit_rating" => "Superb" }
customer. # => nil
customer. = "Average"
customer. # => "Average"
To start from an all-closed default and enable attributes as needed, have a look at attr_accessible
.
If the access logic of your application is richer you can use Hash#except
or Hash#slice
to sanitize the hash of parameters before they are passed to Recliner.
For example, it could be the case that the list of protected attributes for a given model depends on the role of the user:
# Assumes plan_id is not protected because it depends on the role.
params[:account] = params[:account].except(:plan_id) unless admin?
@account.update_attributes(params[:account])
Note that attr_protected
is still applied to the received hash. Thus, with this technique you can at most extend the list of protected attributes for a particular mass-assignment call.
55 56 57 |
# File 'lib/recliner/attribute_methods/protected.rb', line 55 def attr_protected(*attrs) write_inheritable_attribute(:attr_protected, attrs.map { |a| a.to_s } + protected_attributes) end |
#property(name, *args, &block) ⇒ Object
:nodoc:
7 8 9 10 11 12 13 14 |
# File 'lib/recliner/attribute_methods/protected.rb', line 7 def property(name, *args, &block)#:nodoc: = args. super(name, *args << , &block) attr_protected(name) if [:protected] attr_accessible(name) if [:accessible] end |
#protected_attributes ⇒ Object
Returns an array of all the attributes that have been protected from mass-assignment.
103 104 105 |
# File 'lib/recliner/attribute_methods/protected.rb', line 103 def protected_attributes read_inheritable_attribute(:attr_protected) || [] end |