aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVictor Costan <costan@gmail.com>2015-07-06 22:02:14 -0400
committerVictor Costan <costan@gmail.com>2015-07-07 03:04:21 -0400
commitfccb076bd823df840f681de1e516f4543fc9c0df (patch)
tree29965d3e781348f2bd1b6eb28e99fcb6bbff052a
parente598967548114da4f8d85070584460108a7305ff (diff)
downloadrails-fccb076bd823df840f681de1e516f4543fc9c0df.tar.gz
rails-fccb076bd823df840f681de1e516f4543fc9c0df.tar.bz2
rails-fccb076bd823df840f681de1e516f4543fc9c0df.zip
Add test proving that accepts_nested_attributes_for is secure against ID tampering attacks.
-rw-r--r--activerecord/test/cases/nested_attributes_test.rb10
1 files changed, 10 insertions, 0 deletions
diff --git a/activerecord/test/cases/nested_attributes_test.rb b/activerecord/test/cases/nested_attributes_test.rb
index 6b4addd52f..d72225f3d3 100644
--- a/activerecord/test/cases/nested_attributes_test.rb
+++ b/activerecord/test/cases/nested_attributes_test.rb
@@ -658,6 +658,16 @@ module NestedAttributesOnACollectionAssociationTests
assert_equal "Couldn't find #{@child_1.class.name} with ID=1234567890 for Pirate with ID=#{@pirate.id}", exception.message
end
+ def test_should_raise_RecordNotFound_if_an_id_belonging_to_a_different_record_is_given
+ other_pirate = Pirate.create! catchphrase: 'Ahoy!'
+ other_child = other_pirate.send(@association_name).create! name: 'Buccaneers Servant'
+
+ exception = assert_raise ActiveRecord::RecordNotFound do
+ @pirate.attributes = { association_getter => [{ id: other_child.id }] }
+ end
+ assert_equal "Couldn't find #{@child_1.class.name} with ID=#{other_child.id} for Pirate with ID=#{@pirate.id}", exception.message
+ end
+
def test_should_automatically_build_new_associated_models_for_each_entry_in_a_hash_where_the_id_is_missing
@pirate.send(@association_name).destroy_all
@pirate.reload.attributes = {