diff options
| author | Thomas Walpole <twalpole@gmail.com> | 2015-07-23 06:49:03 -0700 |
|---|---|---|
| committer | Thomas Walpole <twalpole@gmail.com> | 2015-11-03 11:34:07 -0800 |
| commit | 85f7d955f31209605cccd4cca64be93eec9782f1 (patch) | |
| tree | aff4442837d7f5622accfaee0d07d7d6a2a08c1d /activerecord/lib/active_record | |
| parent | e670611e6002039231a24d547f9a6e053940fb16 (diff) | |
| download | rails-85f7d955f31209605cccd4cca64be93eec9782f1.tar.gz rails-85f7d955f31209605cccd4cca64be93eec9782f1.tar.bz2 rails-85f7d955f31209605cccd4cca64be93eec9782f1.zip | |
Update and fix forbidden attributes tests
Add AC::Parameters tests for WhereChain#not
Diffstat (limited to 'activerecord/lib/active_record')
| -rw-r--r-- | activerecord/lib/active_record/inheritance.rb | 3 | ||||
| -rw-r--r-- | activerecord/lib/active_record/relation/query_methods.rb | 4 |
2 files changed, 6 insertions, 1 deletions
diff --git a/activerecord/lib/active_record/inheritance.rb b/activerecord/lib/active_record/inheritance.rb index 589c70db0d..8b719e0bcb 100644 --- a/activerecord/lib/active_record/inheritance.rb +++ b/activerecord/lib/active_record/inheritance.rb @@ -198,10 +198,11 @@ module ActiveRecord # If this is a StrongParameters hash, and access to inheritance_column is not permitted, # this will ignore the inheritance column and return nil def subclass_from_attributes?(attrs) - attribute_names.include?(inheritance_column) && attrs.is_a?(Hash) + attribute_names.include?(inheritance_column) && (attrs.is_a?(Hash) || attrs.respond_to?(:permitted?)) end def subclass_from_attributes(attrs) + attrs = attrs.to_h if attrs.respond_to?(:permitted?) subclass_name = attrs.with_indifferent_access[inheritance_column] if subclass_name.present? diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb index 2dc52982c9..7a4bf5338d 100644 --- a/activerecord/lib/active_record/relation/query_methods.rb +++ b/activerecord/lib/active_record/relation/query_methods.rb @@ -13,6 +13,8 @@ module ActiveRecord # WhereChain objects act as placeholder for queries in which #where does not have any parameter. # In this case, #where must be chained with #not to return a new relation. class WhereChain + include ActiveModel::ForbiddenAttributesProtection + def initialize(scope) @scope = scope end @@ -41,6 +43,8 @@ module ActiveRecord # User.where.not(name: "Jon", role: "admin") # # SELECT * FROM users WHERE name != 'Jon' AND role != 'admin' def not(opts, *rest) + opts = sanitize_forbidden_attributes(opts) + where_clause = @scope.send(:where_clause_factory).build(opts, rest) @scope.references!(PredicateBuilder.references(opts)) if Hash === opts |