aboutsummaryrefslogblamecommitdiffstats
path: root/activerecord/test/cases/forbidden_attributes_protection_test.rb
blob: 91921469b8be3d163fc1ded4116955435b2453d4 (plain) (tree) 
0168c7a394


1e5c274f59

89b5b31cc4

1e5c274f59




0168c7a394

85f7d955f3

0168c7a394



85f7d955f3


0168c7a394

85f7d955f3

0168c7a394








85f7d955f3












0168c7a394










1fa4f9243d

0168c7a394







8cfe95d719

0168c7a394

8cfe95d719


0168c7a394


89b5b31cc4














0168c7a394

8cfe95d719

0168c7a394

8cfe95d719


0168c7a394

43d600ee20





306dc1a499









85f7d955f3







306dc1a499















85f7d955f3







306dc1a499






85f7d955f3


































0168c7a394

1
2

3

4

5
6
7
8

9

10

11
12
13

14
15

16

17

18
19
20
21
22
23
24
25

26
27
28
29
30
31
32
33
34
35
36
37

38
39
40
41
42
43
44
45
46
47

48

49
50
51
52
53
54
55

56

57

58
59

60
61

62
63
64
65
66
67
68
69
70
71
72
73
74
75

76

77

78

79
80

81

82
83
84
85
86

87
88
89
90
91
92
93
94
95

96
97
98
99
100
101
102

103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

118
119
120
121
122
123
124

125
126
127
128
129
130

131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

165


                                                         
 
                        



                          
 
                     


                              

                                                             
                            
                                                    







                      











                    









                                                                   
                                                           






                                                                   
                               
 

                                            

     













                                                                         
                                                                
                                                          
 

                                            
     




                                                                








                                                                   






                                                              














                                                                        






                                                              





                                                                  

































                                                                                                                              
   
require 'cases/helper'
require 'active_support/core_ext/hash/indifferent_access'

require 'models/company'
require 'models/person'
require 'models/ship'
require 'models/ship_part'
require 'models/treasure'

class ProtectedParams
  attr_accessor :permitted
  alias :permitted? :permitted

  delegate :keys, :key?, :has_key?, :empty?, to: :@parameters

  def initialize(attributes)
    @parameters = attributes.with_indifferent_access
    @permitted = false
  end

  def permit!
    @permitted = true
    self
  end

  def [](key)
    @parameters[key]
  end

  def to_h
    @parameters
  end

  def stringify_keys
    dup
  end

  def dup
    super.tap do |duplicate|
      duplicate.instance_variable_set :@permitted, @permitted
    end
  end
end

class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
  def test_forbidden_attributes_cannot_be_used_for_mass_assignment
    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.new(params)
    end
  end

  def test_permitted_attributes_can_be_used_for_mass_assignment
    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
    params.permit!
    person = Person.new(params)

    assert_equal 'Guille', person.first_name
    assert_equal 'm', person.gender
  end

  def test_forbidden_attributes_cannot_be_used_for_sti_inheritance_column
    params = ProtectedParams.new(type: 'Client')
    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Company.new(params)
    end
  end

  def test_permitted_attributes_can_be_used_for_sti_inheritance_column
    params = ProtectedParams.new(type: 'Client')
    params.permit!
    person = Company.new(params)
    assert_equal person.class, Client
  end

  def test_regular_hash_should_still_be_used_for_mass_assignment
    person = Person.new(first_name: 'Guille', gender: 'm')

    assert_equal 'Guille', person.first_name
    assert_equal 'm', person.gender
  end

  def test_blank_attributes_should_not_raise
    person = Person.new
    assert_nil person.assign_attributes(ProtectedParams.new({}))
  end

  def test_create_with_checks_permitted
    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')

    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.create_with(params).create!
    end
  end

  def test_create_with_works_with_permitted_params
    params = ProtectedParams.new(first_name: 'Guille').permit!

    person = Person.create_with(params).create!
    assert_equal 'Guille', person.first_name
  end

  def test_create_with_works_with_params_values
    params = ProtectedParams.new(first_name: 'Guille')

    person = Person.create_with(first_name: params[:first_name]).create!
    assert_equal 'Guille', person.first_name
  end

  def test_where_checks_permitted
    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')

    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.where(params).create!
    end
  end

  def test_where_works_with_permitted_params
    params = ProtectedParams.new(first_name: 'Guille').permit!

    person = Person.where(params).create!
    assert_equal 'Guille', person.first_name
  end

  def test_where_works_with_params_values
    params = ProtectedParams.new(first_name: 'Guille')

    person = Person.where(first_name: params[:first_name]).create!
    assert_equal 'Guille', person.first_name
  end

  def test_where_not_checks_permitted
    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')

    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.where().not(params)
    end
  end

  def test_where_not_works_with_permitted_params
    params = ProtectedParams.new(first_name: 'Guille').permit!
    Person.create!(params)
    assert_empty Person.where.not(params).select {|p| p.first_name == 'Guille' }
  end

  def test_strong_params_style_objects_work_with_singular_associations
    params = ProtectedParams.new( name: "Stern", ship_attributes: ProtectedParams.new(name: "The Black Rock").permit!).permit!
    part = ShipPart.new(params)

    assert_equal "Stern", part.name
    assert_equal "The Black Rock", part.ship.name
  end

  def test_strong_params_style_objects_work_with_collection_associations
    params = ProtectedParams.new(
      trinkets_attributes: ProtectedParams.new(
        "0" => ProtectedParams.new(name: "Necklace").permit!,
        "1" => ProtectedParams.new(name: "Spoon").permit! ) ).permit!
    part = ShipPart.new(params)

    assert_equal "Necklace", part.trinkets[0].name
    assert_equal "Spoon", part.trinkets[1].name
  end

end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 14:18:59 +0000