diff options
author | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-05-01 20:20:22 +0200 |
---|---|---|
committer | Josh Kalderimis <josh.kalderimis@gmail.com> | 2011-05-01 23:08:50 +0200 |
commit | 7c5ae0a88fc9406857ee362c827c57eb23fd5f95 (patch) | |
tree | 01a91ebdcfd1778a333d305bcdd2f3405e6037b4 /activerecord/test/cases/mass_assignment_security_test.rb | |
parent | b8ccd0552473fbe0f346334e37b7d84481dd3533 (diff) | |
download | rails-7c5ae0a88fc9406857ee362c827c57eb23fd5f95.tar.gz rails-7c5ae0a88fc9406857ee362c827c57eb23fd5f95.tar.bz2 rails-7c5ae0a88fc9406857ee362c827c57eb23fd5f95.zip |
Added mass-assignment security :as and :without_protection support to AR.new and AR.create
Diffstat (limited to 'activerecord/test/cases/mass_assignment_security_test.rb')
-rw-r--r-- | activerecord/test/cases/mass_assignment_security_test.rb | 138 |
1 files changed, 114 insertions, 24 deletions
diff --git a/activerecord/test/cases/mass_assignment_security_test.rb b/activerecord/test/cases/mass_assignment_security_test.rb index 2c051bff84..67950c8068 100644 --- a/activerecord/test/cases/mass_assignment_security_test.rb +++ b/activerecord/test/cases/mass_assignment_security_test.rb @@ -7,6 +7,12 @@ require 'models/person' class MassAssignmentSecurityTest < ActiveRecord::TestCase + def setup + # another AR test modifies the columns which causes issues with create calls + TightPerson.reset_column_information + LoosePerson.reset_column_information + end + def test_customized_primary_key_remains_protected subscriber = Subscriber.new(:nick => 'webster123', :name => 'nice try') assert_nil subscriber.id @@ -35,60 +41,114 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase p = LoosePerson.new p.assign_attributes(attributes_hash) - assert_equal nil, p.id - assert_equal 'Josh', p.first_name - assert_equal 'm', p.gender - assert_equal nil, p.comments + assert_default_attributes(p) end def test_assign_attributes_skips_mass_assignment_security_protection_when_without_protection_is_used p = LoosePerson.new p.assign_attributes(attributes_hash, :without_protection => true) - assert_equal 5, p.id - assert_equal 'Josh', p.first_name - assert_equal 'm', p.gender - assert_equal 'rides a sweet bike', p.comments + assert_all_attributes(p) end def test_assign_attributes_with_default_scope_and_attr_protected_attributes p = LoosePerson.new p.assign_attributes(attributes_hash, :as => :default) - assert_equal nil, p.id - assert_equal 'Josh', p.first_name - assert_equal 'm', p.gender - assert_equal nil, p.comments + assert_default_attributes(p) end def test_assign_attributes_with_admin_scope_and_attr_protected_attributes p = LoosePerson.new p.assign_attributes(attributes_hash, :as => :admin) - assert_equal nil, p.id - assert_equal 'Josh', p.first_name - assert_equal 'm', p.gender - assert_equal 'rides a sweet bike', p.comments + assert_admin_attributes(p) end def test_assign_attributes_with_default_scope_and_attr_accessible_attributes p = TightPerson.new p.assign_attributes(attributes_hash, :as => :default) - assert_equal nil, p.id - assert_equal 'Josh', p.first_name - assert_equal 'm', p.gender - assert_equal nil, p.comments + assert_default_attributes(p) end def test_assign_attributes_with_admin_scope_and_attr_accessible_attributes p = TightPerson.new p.assign_attributes(attributes_hash, :as => :admin) - assert_equal nil, p.id - assert_equal 'Josh', p.first_name - assert_equal 'm', p.gender - assert_equal 'rides a sweet bike', p.comments + assert_admin_attributes(p) + end + + def test_new_with_attr_accessible_attributes + p = TightPerson.new(attributes_hash) + + assert_default_attributes(p) + end + + def test_new_with_attr_protected_attributes + p = LoosePerson.new(attributes_hash) + + assert_default_attributes(p) + end + + def test_create_with_attr_accessible_attributes + p = TightPerson.create(attributes_hash) + + assert_default_attributes(p, true) + end + + def test_create_with_attr_protected_attributes + p = LoosePerson.create(attributes_hash) + + assert_default_attributes(p, true) + end + + def test_new_with_admin_scope_with_attr_accessible_attributes + p = TightPerson.new(attributes_hash, :as => :admin) + + assert_admin_attributes(p) + end + + def test_new_with_admin_scope_with_attr_protected_attributes + p = LoosePerson.new(attributes_hash, :as => :admin) + + assert_admin_attributes(p) + end + + def test_create_with_admin_scope_with_attr_accessible_attributes + p = TightPerson.create(attributes_hash, :as => :admin) + + assert_admin_attributes(p, true) + end + + def test_create_with_admin_scope_with_attr_protected_attributes + p = LoosePerson.create(attributes_hash, :as => :admin) + + assert_admin_attributes(p, true) + end + + def test_new_with_without_protection_with_attr_accessible_attributes + p = TightPerson.new(attributes_hash, :without_protection => true) + + assert_all_attributes(p) + end + + def test_new_with_without_protection_with_attr_protected_attributes + p = LoosePerson.new(attributes_hash, :without_protection => true) + + assert_all_attributes(p) + end + + def test_create_with_without_protection_with_attr_accessible_attributes + p = TightPerson.create(attributes_hash, :without_protection => true) + + assert_all_attributes(p) + end + + def test_create_with_without_protection_with_attr_protected_attributes + p = LoosePerson.create(attributes_hash, :without_protection => true) + + assert_all_attributes(p) end def test_protection_against_class_attribute_writers @@ -111,4 +171,34 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase :comments => 'rides a sweet bike' } end + + def assert_default_attributes(person, create = false) + unless create + assert_nil person.id + else + assert !!person.id + end + assert_equal 'Josh', person.first_name + assert_equal 'm', person.gender + assert_nil person.comments + end + + def assert_admin_attributes(person, create = false) + unless create + assert_nil person.id + else + assert !!person.id + end + assert_equal 'Josh', person.first_name + assert_equal 'm', person.gender + assert_equal 'rides a sweet bike', person.comments + end + + def assert_all_attributes(person) + assert_equal 5, person.id + assert_equal 'Josh', person.first_name + assert_equal 'm', person.gender + assert_equal 'rides a sweet bike', person.comments + end + end
\ No newline at end of file |