diff options
| author | Yves Senn <yves.senn@gmail.com> | 2015-07-07 09:11:41 +0200 |
|---|---|---|
| committer | Yves Senn <yves.senn@gmail.com> | 2015-07-07 09:11:41 +0200 |
| commit | c66335d5bb6e5b3d2f6dc42a192e803c7ded5f1c (patch) | |
| tree | 29965d3e781348f2bd1b6eb28e99fcb6bbff052a | |
| parent | e598967548114da4f8d85070584460108a7305ff (diff) | |
| parent | fccb076bd823df840f681de1e516f4543fc9c0df (diff) | |
| download | rails-c66335d5bb6e5b3d2f6dc42a192e803c7ded5f1c.tar.gz rails-c66335d5bb6e5b3d2f6dc42a192e803c7ded5f1c.tar.bz2 rails-c66335d5bb6e5b3d2f6dc42a192e803c7ded5f1c.zip | |
Merge pull request #20793 from pwnall/nested_test
Test proving that accepts_nested_attributes_for is secure against ID tampering attacks
| -rw-r--r-- | activerecord/test/cases/nested_attributes_test.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/activerecord/test/cases/nested_attributes_test.rb b/activerecord/test/cases/nested_attributes_test.rb index 6b4addd52f..d72225f3d3 100644 --- a/activerecord/test/cases/nested_attributes_test.rb +++ b/activerecord/test/cases/nested_attributes_test.rb @@ -658,6 +658,16 @@ module NestedAttributesOnACollectionAssociationTests assert_equal "Couldn't find #{@child_1.class.name} with ID=1234567890 for Pirate with ID=#{@pirate.id}", exception.message end + def test_should_raise_RecordNotFound_if_an_id_belonging_to_a_different_record_is_given + other_pirate = Pirate.create! catchphrase: 'Ahoy!' + other_child = other_pirate.send(@association_name).create! name: 'Buccaneers Servant' + + exception = assert_raise ActiveRecord::RecordNotFound do + @pirate.attributes = { association_getter => [{ id: other_child.id }] } + end + assert_equal "Couldn't find #{@child_1.class.name} with ID=#{other_child.id} for Pirate with ID=#{@pirate.id}", exception.message + end + def test_should_automatically_build_new_associated_models_for_each_entry_in_a_hash_where_the_id_is_missing @pirate.send(@association_name).destroy_all @pirate.reload.attributes = { |