diff options
| author | David Heinemeier Hansson <david@loudthinking.com> | 2005-01-23 17:24:54 +0000 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2005-01-23 17:24:54 +0000 |
| commit | 95454bfb33a9b29703dbbf04d1a71d06a68ae787 (patch) | |
| tree | 821bf2e8c9b09228c3b37b017f8340abb297b967 /activerecord | |
| parent | 97849debf33123387d33ba11fa5cf776873a5e94 (diff) | |
| download | rails-95454bfb33a9b29703dbbf04d1a71d06a68ae787.tar.gz rails-95454bfb33a9b29703dbbf04d1a71d06a68ae787.tar.bz2 rails-95454bfb33a9b29703dbbf04d1a71d06a68ae787.zip | |
Added mass-assignment protection for the inheritance column -- regardless of a custom column is used or not
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@477 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'activerecord')
| -rw-r--r-- | activerecord/CHANGELOG | 2 | ||||
| -rwxr-xr-x | activerecord/lib/active_record/base.rb | 11 | ||||
| -rwxr-xr-x | activerecord/test/base_test.rb | 7 |
3 files changed, 17 insertions, 3 deletions
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG index 65174cb1b8..81083fc24c 100644 --- a/activerecord/CHANGELOG +++ b/activerecord/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Added mass-assignment protection for the inheritance column -- regardless of a custom column is used or not + * Fixed that association proxies would fail === tests like PremiumSubscription === @account.subscription * Fixed that column aliases didn't work as expected with the new MySql411 driver #507 [Demetrius] diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index bae91da22d..8ae636afbb 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -1098,14 +1098,19 @@ module ActiveRecord #:nodoc: def remove_attributes_protected_from_mass_assignment(attributes) if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil? - attributes.reject { |key, value| key == self.class.primary_key } + attributes.reject { |key, value| attributes_protected_by_default.include?(key) } elsif self.class.protected_attributes.nil? - attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || key == self.class.primary_key } + attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) } elsif self.class.accessible_attributes.nil? - attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || key == self.class.primary_key } + attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) } end end + # The primary key and inheritance column can never be set by mass-assignment for security reasons. + def attributes_protected_by_default + [ self.class.primary_key, self.class.inheritance_column ] + end + # Returns copy of the attributes hash where all the values have been safely quoted for use in # an SQL statement. def attributes_with_quotes(include_primary_key = true) diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb index da9daa6398..c5a6b7d656 100755 --- a/activerecord/test/base_test.rb +++ b/activerecord/test/base_test.rb @@ -383,6 +383,13 @@ class BasicsTest < Test::Unit::TestCase assert_equal 1, firm.rating end + def test_mass_assignment_protection_on_defaults + firm = Firm.new + firm.attributes = { "id" => 5, "type" => "Client" } + assert_nil firm.id + assert_equal "Firm", firm[:type] + end + def test_mass_assignment_accessible reply = Reply.new("title" => "hello", "content" => "world", "approved" => 0) reply.save |