Override attributes_protected_by_default when has_secure_password is called.

attr_protected should not be called, because it nullifies the
mass assignment protection that has been set by attr_accessible.

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
index 79be715730..4a47a7a226 100644
--- a/activemodel/test/cases/secure_password_test.rb
+++ b/activemodel/test/cases/secure_password_test.rb
@@ -1,5 +1,7 @@
 require 'cases/helper'
 require 'models/user'
+require 'models/visitor'
+require 'models/administrator'
 
 class SecurePasswordTest < ActiveModel::TestCase
 
@@ -29,4 +31,15 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert !@user.authenticate("wrong")
     assert @user.authenticate("secret")
   end
+
+  test "visitor#password_digest should be protected against mass assignment" do
+    assert Visitor.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::BlackList)
+    assert Visitor.active_authorizer.include?(:password_digest)
+  end
+
+  test "Administrator's mass_assignment_authorizer should be WhiteList" do
+    assert Administrator.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::WhiteList)
+    assert !Administrator.active_authorizer.include?(:password_digest)
+    assert Administrator.active_authorizer.include?(:name)
+  end
 end