Don't use mass-assignment protection when setting foreign keys or association conditions on singular associations. Fixes #481 (again).

3 files changed, 45 insertions, 9 deletions

diff --git a/activerecord/lib/active_record/associations/singular_association.rb b/activerecord/lib/active_record/associations/singular_association.rb
index ea4d73d414..877ddf3ee1 100644
--- a/activerecord/lib/active_record/associations/singular_association.rb
+++ b/activerecord/lib/active_record/associations/singular_association.rb
@@ -18,7 +18,7 @@ module ActiveRecord
       end
 
       def create(attributes = {}, options = {})
-        new_record(:create, attributes, options)
+        build(attributes, options).tap { |record| record.save }
       end
 
       def create!(attributes = {}, options = {})
@@ -26,7 +26,14 @@ module ActiveRecord
       end
 
       def build(attributes = {}, options = {})
-        new_record(:build, attributes, options)
+        record = reflection.build_association
+        record.assign_attributes(
+          scoped.scope_for_create.except(klass.primary_key),
+          :without_protection => true
+        )
+        record.assign_attributes(attributes, options)
+        set_new_record(record)
+        record
       end
 
       private
@@ -43,13 +50,6 @@ module ActiveRecord
         def set_new_record(record)
           replace(record)
         end
-
-        def new_record(method, attributes, options)
-          attributes = scoped.scope_for_create.merge(attributes || {})
-          record = reflection.send("#{method}_association", attributes, options)
-          set_new_record(record)
-          record
-        end
     end
   end
 end
diff --git a/activerecord/test/cases/associations/has_one_associations_test.rb b/activerecord/test/cases/associations/has_one_associations_test.rb
index c2a82b8c60..356a4a7a09 100644
--- a/activerecord/test/cases/associations/has_one_associations_test.rb
+++ b/activerecord/test/cases/associations/has_one_associations_test.rb
@@ -4,6 +4,7 @@ require 'models/project'
 require 'models/company'
 require 'models/ship'
 require 'models/pirate'
+require 'models/car'
 require 'models/bulb'
 
 class HasOneAssociationsTest < ActiveRecord::TestCase
@@ -377,4 +378,36 @@ class HasOneAssociationsTest < ActiveRecord::TestCase
       assert_equal firm.association(:account).loaded?, firm.account_loaded?
     end
   end
+
+  def test_association_keys_bypass_attribute_protection
+    car = Car.create(:name => 'honda')
+
+    bulb = car.build_bulb
+    assert_equal car.id, bulb.car_id
+
+    bulb = car.build_bulb :car_id => car.id + 1
+    assert_equal car.id, bulb.car_id
+
+    bulb = car.create_bulb
+    assert_equal car.id, bulb.car_id
+
+    bulb = car.create_bulb :car_id => car.id + 1
+    assert_equal car.id, bulb.car_id
+  end
+
+  def test_association_conditions_bypass_attribute_protection
+    car = Car.create(:name => 'honda')
+
+    bulb = car.build_frickinawesome_bulb
+    assert_equal true, bulb.frickinawesome?
+
+    bulb = car.build_frickinawesome_bulb(:frickinawesome => false)
+    assert_equal true, bulb.frickinawesome?
+
+    bulb = car.create_frickinawesome_bulb
+    assert_equal true, bulb.frickinawesome?
+
+    bulb = car.create_frickinawesome_bulb(:frickinawesome => false)
+    assert_equal true, bulb.frickinawesome?
+  end
 end
diff --git a/activerecord/test/models/car.rb b/activerecord/test/models/car.rb
index de1864345a..76f20b1061 100644
--- a/activerecord/test/models/car.rb
+++ b/activerecord/test/models/car.rb
@@ -4,6 +4,9 @@ class Car < ActiveRecord::Base
   has_many :foo_bulbs, :class_name => "Bulb", :conditions => { :name => 'foo' }
   has_many :frickinawesome_bulbs, :class_name => "Bulb", :conditions => { :frickinawesome => true }
 
+  has_one :bulb
+  has_one :frickinawesome_bulb, :class_name => "Bulb", :conditions => { :frickinawesome => true }
+
   has_many :tyres
   has_many :engines
   has_many :wheels, :as => :wheelable