#1084 ActiveRecord attributes should respect access control - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#1084 ✓committed

ActiveRecord attributes should respect access control

Reported by Adam Milligan | September 21st, 2008 @ 09:27 AM

From a discussion on this thread: http://groups.google.com/group/r...

This patch makes possible setting ActiveRecord attributes as private. #respond_to? will now return false for an attribute method defined as private in the class definition. Also, attempting to directly call the attribute method will result in a NoMethodError. Calling the method via #send circumvents the access control, as expected.

Tests included.

private_attributes.diff 5.6 KB

Comments and changes to this ticket

Michael Koziarski September 21st, 2008 @ 05:56 PM
- Assigned user set to “Michael Koziarski”
- Milestone cleared.
Michael Koziarski September 24th, 2008 @ 06:04 PM
- Assigned user changed from “Michael Koziarski” to “Pratik”
OK, I think this looks ok but I'd appreciate someone else's eyes over it too.

Pratik, does this look ok to you?
Repository September 24th, 2008 @ 06:41 PM
- State changed from “new” to “committed”
(from [4d9a7ab5f5c28820e0b076f9ca44bdd20e19e6ea]) Changed ActiveRecord attributes to respect access control.

Signed-off-by: Michael Koziarski michael@koziarski.com [#1084 state:committed] http://github.com/rails/rails/co...
You flagged this item as spam.
Adam Milligan September 26th, 2008 @ 06:39 AM
This patch is actually the second of two patches based on the same rails-core group thread. I submitted the first at http://rails.lighthouseapp.com/p... .

I just mention this because the first patch hasn't received any attention, while his has been committed. I thought perhaps its existence got lost in the long discussion thread.