Puts ActiveRecord::SessionStore attributes in white list, fixes #483

2 files changed, 8 insertions, 0 deletions

diff --git a/activerecord/lib/active_record/session_store.rb b/activerecord/lib/active_record/session_store.rb
index 7e77aefb21..98e21db908 100644
--- a/activerecord/lib/active_record/session_store.rb
+++ b/activerecord/lib/active_record/session_store.rb
@@ -83,6 +83,8 @@ module ActiveRecord
       cattr_accessor :data_column_name
       self.data_column_name = 'data'
 
+      attr_accessible :session_id, :data, :marshaled_data
+
       before_save :marshal_data!
       before_save :raise_on_session_data_overflow!
 
diff --git a/activerecord/test/cases/session_store/session_test.rb b/activerecord/test/cases/session_store/session_test.rb
index cee5ddd003..669c0b7b4d 100644
--- a/activerecord/test/cases/session_store/session_test.rb
+++ b/activerecord/test/cases/session_store/session_test.rb
@@ -21,6 +21,12 @@ module ActiveRecord
         assert_equal 'sessions', Session.table_name
       end
 
+      def test_accessible_attributes
+        assert Session.accessible_attributes.include?(:session_id)
+        assert Session.accessible_attributes.include?(:data)
+        assert Session.accessible_attributes.include?(:marshaled_data)
+      end
+
       def test_create_table!
         assert !Session.table_exists?
         Session.create_table!