diff options
author | Victor Costan <costan@gmail.com> | 2015-07-06 22:02:14 -0400 |
---|---|---|
committer | Victor Costan <costan@gmail.com> | 2015-07-07 03:04:21 -0400 |
commit | fccb076bd823df840f681de1e516f4543fc9c0df (patch) | |
tree | 29965d3e781348f2bd1b6eb28e99fcb6bbff052a | |
parent | e598967548114da4f8d85070584460108a7305ff (diff) | |
download | rails-fccb076bd823df840f681de1e516f4543fc9c0df.tar.gz rails-fccb076bd823df840f681de1e516f4543fc9c0df.tar.bz2 rails-fccb076bd823df840f681de1e516f4543fc9c0df.zip |
Add test proving that accepts_nested_attributes_for is secure against ID tampering attacks.
-rw-r--r-- | activerecord/test/cases/nested_attributes_test.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/activerecord/test/cases/nested_attributes_test.rb b/activerecord/test/cases/nested_attributes_test.rb index 6b4addd52f..d72225f3d3 100644 --- a/activerecord/test/cases/nested_attributes_test.rb +++ b/activerecord/test/cases/nested_attributes_test.rb @@ -658,6 +658,16 @@ module NestedAttributesOnACollectionAssociationTests assert_equal "Couldn't find #{@child_1.class.name} with ID=1234567890 for Pirate with ID=#{@pirate.id}", exception.message end + def test_should_raise_RecordNotFound_if_an_id_belonging_to_a_different_record_is_given + other_pirate = Pirate.create! catchphrase: 'Ahoy!' + other_child = other_pirate.send(@association_name).create! name: 'Buccaneers Servant' + + exception = assert_raise ActiveRecord::RecordNotFound do + @pirate.attributes = { association_getter => [{ id: other_child.id }] } + end + assert_equal "Couldn't find #{@child_1.class.name} with ID=#{other_child.id} for Pirate with ID=#{@pirate.id}", exception.message + end + def test_should_automatically_build_new_associated_models_for_each_entry_in_a_hash_where_the_id_is_missing @pirate.send(@association_name).destroy_all @pirate.reload.attributes = { |