aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--activerecord/CHANGELOG2
-rwxr-xr-xactiverecord/lib/active_record/base.rb11
-rwxr-xr-xactiverecord/test/base_test.rb7
3 files changed, 17 insertions, 3 deletions
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
index 65174cb1b8..81083fc24c 100644
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Added mass-assignment protection for the inheritance column -- regardless of a custom column is used or not
+
* Fixed that association proxies would fail === tests like PremiumSubscription === @account.subscription
* Fixed that column aliases didn't work as expected with the new MySql411 driver #507 [Demetrius]
diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
index bae91da22d..8ae636afbb 100755
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -1098,14 +1098,19 @@ module ActiveRecord #:nodoc:
def remove_attributes_protected_from_mass_assignment(attributes)
if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
- attributes.reject { |key, value| key == self.class.primary_key }
+ attributes.reject { |key, value| attributes_protected_by_default.include?(key) }
elsif self.class.protected_attributes.nil?
- attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || key == self.class.primary_key }
+ attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
elsif self.class.accessible_attributes.nil?
- attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || key == self.class.primary_key }
+ attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
end
end
+ # The primary key and inheritance column can never be set by mass-assignment for security reasons.
+ def attributes_protected_by_default
+ [ self.class.primary_key, self.class.inheritance_column ]
+ end
+
# Returns copy of the attributes hash where all the values have been safely quoted for use in
# an SQL statement.
def attributes_with_quotes(include_primary_key = true)
diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb
index da9daa6398..c5a6b7d656 100755
--- a/activerecord/test/base_test.rb
+++ b/activerecord/test/base_test.rb
@@ -383,6 +383,13 @@ class BasicsTest < Test::Unit::TestCase
assert_equal 1, firm.rating
end
+ def test_mass_assignment_protection_on_defaults
+ firm = Firm.new
+ firm.attributes = { "id" => 5, "type" => "Client" }
+ assert_nil firm.id
+ assert_equal "Firm", firm[:type]
+ end
+
def test_mass_assignment_accessible
reply = Reply.new("title" => "hello", "content" => "world", "approved" => 0)
reply.save