Added mass-assignment security :as and :without_protection support to AR.new and AR.create

1 files changed, 114 insertions, 24 deletions

diff --git a/activerecord/test/cases/mass_assignment_security_test.rb b/activerecord/test/cases/mass_assignment_security_test.rb
index 2c051bff84..67950c8068 100644
--- a/activerecord/test/cases/mass_assignment_security_test.rb
+++ b/activerecord/test/cases/mass_assignment_security_test.rb
@@ -7,6 +7,12 @@ require 'models/person'
 
 class MassAssignmentSecurityTest < ActiveRecord::TestCase
 
+  def setup
+    # another AR test modifies the columns which causes issues with create calls
+    TightPerson.reset_column_information
+    LoosePerson.reset_column_information
+  end
+
   def test_customized_primary_key_remains_protected
     subscriber = Subscriber.new(:nick => 'webster123', :name => 'nice try')
     assert_nil subscriber.id
@@ -35,60 +41,114 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase
     p = LoosePerson.new
     p.assign_attributes(attributes_hash)
 
-    assert_equal nil,    p.id
-    assert_equal 'Josh', p.first_name
-    assert_equal 'm',    p.gender
-    assert_equal nil,    p.comments
+    assert_default_attributes(p)
   end
 
   def test_assign_attributes_skips_mass_assignment_security_protection_when_without_protection_is_used
     p = LoosePerson.new
     p.assign_attributes(attributes_hash, :without_protection => true)
 
-    assert_equal 5, p.id
-    assert_equal 'Josh', p.first_name
-    assert_equal 'm', p.gender
-    assert_equal 'rides a sweet bike', p.comments
+    assert_all_attributes(p)
   end
 
   def test_assign_attributes_with_default_scope_and_attr_protected_attributes
     p = LoosePerson.new
     p.assign_attributes(attributes_hash, :as => :default)
 
-    assert_equal nil, p.id
-    assert_equal 'Josh', p.first_name
-    assert_equal 'm', p.gender
-    assert_equal nil, p.comments
+    assert_default_attributes(p)
   end
 
   def test_assign_attributes_with_admin_scope_and_attr_protected_attributes
     p = LoosePerson.new
     p.assign_attributes(attributes_hash, :as => :admin)
 
-    assert_equal nil, p.id
-    assert_equal 'Josh', p.first_name
-    assert_equal 'm', p.gender
-    assert_equal 'rides a sweet bike', p.comments
+    assert_admin_attributes(p)
   end
 
   def test_assign_attributes_with_default_scope_and_attr_accessible_attributes
     p = TightPerson.new
     p.assign_attributes(attributes_hash, :as => :default)
 
-    assert_equal nil, p.id
-    assert_equal 'Josh', p.first_name
-    assert_equal 'm', p.gender
-    assert_equal nil, p.comments
+    assert_default_attributes(p)
   end
 
   def test_assign_attributes_with_admin_scope_and_attr_accessible_attributes
     p = TightPerson.new
     p.assign_attributes(attributes_hash, :as => :admin)
 
-    assert_equal nil, p.id
-    assert_equal 'Josh', p.first_name
-    assert_equal 'm', p.gender
-    assert_equal 'rides a sweet bike', p.comments
+    assert_admin_attributes(p)
+  end
+
+  def test_new_with_attr_accessible_attributes
+    p = TightPerson.new(attributes_hash)
+
+    assert_default_attributes(p)
+  end
+
+  def test_new_with_attr_protected_attributes
+    p = LoosePerson.new(attributes_hash)
+
+    assert_default_attributes(p)
+  end
+
+  def test_create_with_attr_accessible_attributes
+    p = TightPerson.create(attributes_hash)
+
+    assert_default_attributes(p, true)
+  end
+
+  def test_create_with_attr_protected_attributes
+    p = LoosePerson.create(attributes_hash)
+
+    assert_default_attributes(p, true)
+  end
+
+  def test_new_with_admin_scope_with_attr_accessible_attributes
+    p = TightPerson.new(attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p)
+  end
+
+  def test_new_with_admin_scope_with_attr_protected_attributes
+    p = LoosePerson.new(attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p)
+  end
+
+  def test_create_with_admin_scope_with_attr_accessible_attributes
+    p = TightPerson.create(attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p, true)
+  end
+
+  def test_create_with_admin_scope_with_attr_protected_attributes
+    p = LoosePerson.create(attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p, true)
+  end
+
+  def test_new_with_without_protection_with_attr_accessible_attributes
+    p = TightPerson.new(attributes_hash, :without_protection => true)
+
+    assert_all_attributes(p)
+  end
+
+  def test_new_with_without_protection_with_attr_protected_attributes
+    p = LoosePerson.new(attributes_hash, :without_protection => true)
+
+    assert_all_attributes(p)
+  end
+
+  def test_create_with_without_protection_with_attr_accessible_attributes
+    p = TightPerson.create(attributes_hash, :without_protection => true)
+
+    assert_all_attributes(p)
+  end
+
+  def test_create_with_without_protection_with_attr_protected_attributes
+    p = LoosePerson.create(attributes_hash, :without_protection => true)
+
+    assert_all_attributes(p)
   end
 
   def test_protection_against_class_attribute_writers
@@ -111,4 +171,34 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase
       :comments => 'rides a sweet bike'
     }
   end
+
+  def assert_default_attributes(person, create = false)
+    unless create
+      assert_nil person.id
+    else
+      assert !!person.id
+    end
+    assert_equal 'Josh', person.first_name
+    assert_equal 'm',    person.gender
+    assert_nil person.comments
+  end
+
+  def assert_admin_attributes(person, create = false)
+    unless create
+      assert_nil person.id
+    else
+      assert !!person.id
+    end
+    assert_equal 'Josh', person.first_name
+    assert_equal 'm',    person.gender
+    assert_equal 'rides a sweet bike', person.comments
+  end
+
+  def assert_all_attributes(person)
+    assert_equal 5, person.id
+    assert_equal 'Josh', person.first_name
+    assert_equal 'm',    person.gender
+    assert_equal 'rides a sweet bike', person.comments
+  end
+
 end
\ No newline at end of file