Module: Sequel::Plugins::BlacklistSecurity::ClassMethods

Defined in:: lib/sequel/plugins/blacklist_security.rb

Instance Attribute Summary collapse

#restricted_columns ⇒ Object readonly

Which columns are specifically restricted in a call to set/update/new/etc.

Instance Method Summary collapse

#set_restricted_columns(*cols) ⇒ Object

Set the columns to restrict when using mass assignment (e.g. set).

Instance Attribute Details

#restricted_columns ⇒ `Object` (readonly)

Which columns are specifically restricted in a call to set/update/new/etc. (default: not set). Some columns are restricted regardless of this setting, such as the primary key column and columns in Model::RESTRICTED_SETTER_METHODS.



20
21
22

# File 'lib/sequel/plugins/blacklist_security.rb', line 20

def restricted_columns
  @restricted_columns
end

Instance Method Details

#set_restricted_columns(*cols) ⇒ `Object`

Set the columns to restrict when using mass assignment (e.g. set). Using this means that attempts to call setter methods for the columns listed here will cause an exception or be silently skipped (based on the strict_param_setting setting). If you have any virtual setter methods (methods that end in =) that you want not to be used during mass assignment, they need to be listed here as well (without the =).

It’s generally a bad idea to rely on a blacklist approach for security. Using a whitelist approach such as set_allowed_columns or the instance level set_only or set_fields methods is usually a better choice. So use of this method is generally a bad idea.

Artist.set_restricted_columns(:records_sold)
Artist.set(:name=>'Bob', :hometown=>'Sactown') # No Error
Artist.set(:name=>'Bob', :records_sold=>30000) # Error

# File 'lib/sequel/plugins/blacklist_security.rb', line 35

def set_restricted_columns(*cols)
  clear_setter_methods_cache
  @restricted_columns = cols
end