Changed ActiveRecord attributes to respect access control.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#1084 state:committed]

1 files changed, 7 insertions, 1 deletions

diff --git a/activerecord/lib/active_record/attribute_methods.rb b/activerecord/lib/active_record/attribute_methods.rb
index 020da01871..e5486738f0 100644
--- a/activerecord/lib/active_record/attribute_methods.rb
+++ b/activerecord/lib/active_record/attribute_methods.rb
@@ -232,6 +232,10 @@ module ActiveRecord
     def method_missing(method_id, *args, &block)
       method_name = method_id.to_s
 
+      if self.class.private_method_defined?(method_name)
+        raise NoMethodError("Attempt to call private method", method_name, args)
+      end
+
       # If we haven't generated any methods yet, generate them, then
       # see if we've created the method we're looking for.
       if !self.class.generated_methods?
@@ -334,10 +338,12 @@ module ActiveRecord
     # <tt>person.respond_to?(:name=)</tt>, and <tt>person.respond_to?(:name?)</tt>
     # which will all return +true+.
     alias :respond_to_without_attributes? :respond_to?
-    def respond_to?(method, include_priv = false)
+    def respond_to?(method, include_private_methods = false)
       method_name = method.to_s
       if super
         return true
+      elsif self.private_methods.include?(method_name) && !include_private_methods
+        return false
       elsif !self.class.generated_methods?
         self.class.define_attribute_methods
         if self.class.generated_methods.include?(method_name)