diff options
author | Andrew White <andyw@pixeltrix.co.uk> | 2015-11-27 13:46:46 +0000 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-22 15:01:20 -0800 |
commit | cdabc95608336dbea7b6a3a3e925de5bbd5313ba (patch) | |
tree | 743d5043e983483389c94e68a0a8341264e02516 /activerecord/test/cases/nested_attributes_test.rb | |
parent | 127967b735813cd4f263df7a50426d74e7e9cc17 (diff) | |
download | rails-cdabc95608336dbea7b6a3a3e925de5bbd5313ba.tar.gz rails-cdabc95608336dbea7b6a3a3e925de5bbd5313ba.tar.bz2 rails-cdabc95608336dbea7b6a3a3e925de5bbd5313ba.zip |
Don't short-circuit reject_if proc
When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.
The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.
CVE-2015-7577
Diffstat (limited to 'activerecord/test/cases/nested_attributes_test.rb')
-rw-r--r-- | activerecord/test/cases/nested_attributes_test.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/activerecord/test/cases/nested_attributes_test.rb b/activerecord/test/cases/nested_attributes_test.rb index 85b9d3c1a1..f5f0517681 100644 --- a/activerecord/test/cases/nested_attributes_test.rb +++ b/activerecord/test/cases/nested_attributes_test.rb @@ -147,6 +147,19 @@ class TestNestedAttributesInGeneral < ActiveRecord::TestCase assert man.reload.interests.empty? end + def test_reject_if_is_not_short_circuited_if_allow_destroy_is_false + Pirate.accepts_nested_attributes_for :ship, reject_if: ->(a) { a[:name] == "The Golden Hind" }, allow_destroy: false + + pirate = Pirate.create!(catchphrase: "Stop wastin' me time", ship_attributes: { name: "White Pearl", _destroy: "1" }) + assert_equal "White Pearl", pirate.reload.ship.name + + pirate.update!(ship_attributes: { id: pirate.ship.id, name: "The Golden Hind", _destroy: "1" }) + assert_equal "White Pearl", pirate.reload.ship.name + + pirate.update!(ship_attributes: { id: pirate.ship.id, name: "Black Pearl", _destroy: "1" }) + assert_equal "Black Pearl", pirate.reload.ship.name + end + def test_has_many_association_updating_a_single_record Man.accepts_nested_attributes_for(:interests) man = Man.create(:name => 'John') |