Add filtering of encrypted attributes in #inspect

Previously, encrypted attributes could be added to an application's
filter_parameters which would filter the attribute values from logs.

This commit makes the add_to_filter_parameters additionally add
encrypted attributes to records' filter_attributes, which allows them
to be filtered when models are inspected (such as in the console).

Author: skipkayhil

activerecord/CHANGELOG.md

@@ -1,3 +1,13 @@
+*   Add automatic filtering of encrypted attributes on inspect
+
+    This feature is enabled by default but can be disabled with
+
+    ```ruby
+    config.active_record.encryption.add_to_filter_parameters = false
+    ```
+
+    *Hartley McGuire*
+
 *   Clear locking column on #dup
 
     This change fixes not to duplicate locking_column like id and timestamps.

activerecord/lib/active_record/encryption/configurable.rb

@@ -51,7 +51,10 @@ def encrypted_attribute_was_declared(klass, name) # :nodoc:
         def install_auto_filtered_parameters_hook(application) # :nodoc:
           ActiveRecord::Encryption.on_encrypted_attribute_declared do |klass, encrypted_attribute_name|
             filter_parameter = [("#{klass.model_name.element}" if klass.name), encrypted_attribute_name.to_s].compact.join(".")
-            application.config.filter_parameters << filter_parameter unless excluded_from_filter_parameters?(filter_parameter)
+            unless excluded_from_filter_parameters?(filter_parameter)
+              application.config.filter_parameters << filter_parameter
+              klass.filter_attributes += [encrypted_attribute_name]
+            end
           end
         end
 

activerecord/lib/active_record/railtie.rb

@@ -377,10 +377,8 @@ class Railtie < Rails::Railtie # :nodoc:
       end
 
       # Filtered params
-      ActiveSupport.on_load(:action_controller, run_once: true) do
-        if ActiveRecord::Encryption.config.add_to_filter_parameters
-          ActiveRecord::Encryption.install_auto_filtered_parameters_hook(app)
-        end
+      if ActiveRecord::Encryption.config.add_to_filter_parameters
+        ActiveRecord::Encryption.install_auto_filtered_parameters_hook(app)
       end
     end
 

railties/test/application/configuration_test.rb

@@ -3399,6 +3399,44 @@ class MyLogger < ::Logger
       assert_equal [ :password, :credit_card_number ], ActiveRecord::Base.filter_attributes
     end
 
+    test "encrypted attributes are added to record's filter_attributes by default" do
+      app_file "app/models/post.rb", <<-RUBY
+        class Post < ActiveRecord::Base
+          encrypts :content
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.enable_reloading = false
+        config.eager_load = true
+      RUBY
+
+      app "production"
+
+      assert_includes Post.filter_attributes, :content
+      assert_not_includes ActiveRecord::Base.filter_attributes, :content
+    end
+
+    test "encrypted attributes are not added to record filter_attributes if disabled" do
+      app_file "app/models/post.rb", <<-RUBY
+        class Post < ActiveRecord::Base
+          encrypts :content
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.enable_reloading = false
+        config.eager_load = true
+
+        config.active_record.encryption.add_to_filter_parameters = false
+      RUBY
+
+      app "production"
+
+      assert_not_includes Post.filter_attributes, :content
+      assert_not_includes ActiveRecord::Base.filter_attributes, :content
+    end
+
     test "ActiveStorage.routes_prefix can be configured via config.active_storage.routes_prefix" do
       app_file "config/environments/development.rb", <<-RUBY
         Rails.application.configure do