aboutsummaryrefslogtreecommitdiffstats
path: root/activerecord/test/cases/calculations_test.rb
diff options
context:
space:
mode:
authorGuo Xiang Tan <tgx_world@hotmail.com>2015-10-02 16:26:16 +0800
committerGuo Xiang Tan <tgx_world@hotmail.com>2015-10-02 16:26:16 +0800
commit7d0b1e4847d1812b067e03266ca97d7bcb29d706 (patch)
treeae9729d69065fd68ca662a835d62c07e0e63cfc0 /activerecord/test/cases/calculations_test.rb
parent9db73a2591e43d1851411727d6594a72efa35663 (diff)
downloadrails-7d0b1e4847d1812b067e03266ca97d7bcb29d706.tar.gz
rails-7d0b1e4847d1812b067e03266ca97d7bcb29d706.tar.bz2
rails-7d0b1e4847d1812b067e03266ca97d7bcb29d706.zip
Fix AC::Parameters not being sanitized for query methods.
Diffstat (limited to 'activerecord/test/cases/calculations_test.rb')
-rw-r--r--activerecord/test/cases/calculations_test.rb32
1 files changed, 32 insertions, 0 deletions
diff --git a/activerecord/test/cases/calculations_test.rb b/activerecord/test/cases/calculations_test.rb
index aa10817527..d904b802fa 100644
--- a/activerecord/test/cases/calculations_test.rb
+++ b/activerecord/test/cases/calculations_test.rb
@@ -681,4 +681,36 @@ class CalculationsTest < ActiveRecord::TestCase
end
assert block_called
end
+
+ def test_having_with_strong_parameters
+ protected_params = Class.new do
+ attr_reader :permitted
+ alias :permitted? :permitted
+
+ def initialize(parameters)
+ @parameters = parameters
+ @permitted = false
+ end
+
+ def to_h
+ @parameters
+ end
+
+ def permit!
+ @permitted = true
+ self
+ end
+ end
+
+ params = protected_params.new(credit_limit: '50')
+
+ assert_raises(ActiveModel::ForbiddenAttributesError) do
+ Account.group(:id).having(params)
+ end
+
+ result = Account.group(:id).having(params.permit!)
+ assert_equal 50, result[0].credit_limit
+ assert_equal 50, result[1].credit_limit
+ assert_equal 50, result[2].credit_limit
+ end
end