aboutsummaryrefslogtreecommitdiffstats
path: root/activerecord/lib
diff options
context:
space:
mode:
authorMarcel Molina <marcel@vernix.org>2005-10-12 19:59:13 +0000
committerMarcel Molina <marcel@vernix.org>2005-10-12 19:59:13 +0000
commit0e0e774085c478a171894abfa95fff9475a4a826 (patch)
treee0d3099e25d1558ace4888bf09a159717f9ef2e6 /activerecord/lib
parentf0b2b637ea9b7133fce95f1fc10eec6b1c7304d9 (diff)
downloadrails-0e0e774085c478a171894abfa95fff9475a4a826.tar.gz
rails-0e0e774085c478a171894abfa95fff9475a4a826.tar.bz2
rails-0e0e774085c478a171894abfa95fff9475a4a826.zip
Protect id attribute from mass assigment even when the primary key is set to something else. Closes #2438.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@2541 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'activerecord/lib')
-rwxr-xr-xactiverecord/lib/active_record/base.rb8
1 files changed, 5 insertions, 3 deletions
diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
index dd0fe15b3f..16d9579ed0 100755
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -508,7 +508,7 @@ module ActiveRecord #:nodoc:
# customer.credit_rating = "Average"
# customer.credit_rating # => "Average"
def attr_protected(*attributes)
- write_inheritable_array("attr_protected", attributes)
+ write_inheritable_array("attr_protected", attributes - (protected_attributes || []))
end
# Returns an array of all the attributes that have been protected from mass-assignment.
@@ -521,7 +521,7 @@ module ActiveRecord #:nodoc:
# protection. If you'd rather start from an all-open default and restrict attributes as needed, have a look at
# attr_protected.
def attr_accessible(*attributes)
- write_inheritable_array("attr_accessible", attributes)
+ write_inheritable_array("attr_accessible", attributes - (accessible_attributes || []))
end
# Returns an array of all the attributes that have been made accessible to mass-assignment.
@@ -1450,7 +1450,9 @@ module ActiveRecord #:nodoc:
# The primary key and inheritance column can never be set by mass-assignment for security reasons.
def attributes_protected_by_default
- [ self.class.primary_key, self.class.inheritance_column ]
+ default = [ self.class.primary_key, self.class.inheritance_column ]
+ default << 'id' unless self.class.primary_key.eql? 'id'
+ default
end
# Returns copy of the attributes hash where all the values have been safely quoted for use in