diff options
-rw-r--r-- | activerecord/CHANGELOG | 2 | ||||
-rwxr-xr-x | activerecord/lib/active_record/base.rb | 11 | ||||
-rwxr-xr-x | activerecord/test/base_test.rb | 7 |
3 files changed, 17 insertions, 3 deletions
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG index 65174cb1b8..81083fc24c 100644 --- a/activerecord/CHANGELOG +++ b/activerecord/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Added mass-assignment protection for the inheritance column -- regardless of a custom column is used or not + * Fixed that association proxies would fail === tests like PremiumSubscription === @account.subscription * Fixed that column aliases didn't work as expected with the new MySql411 driver #507 [Demetrius] diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index bae91da22d..8ae636afbb 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -1098,14 +1098,19 @@ module ActiveRecord #:nodoc: def remove_attributes_protected_from_mass_assignment(attributes) if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil? - attributes.reject { |key, value| key == self.class.primary_key } + attributes.reject { |key, value| attributes_protected_by_default.include?(key) } elsif self.class.protected_attributes.nil? - attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || key == self.class.primary_key } + attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) } elsif self.class.accessible_attributes.nil? - attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || key == self.class.primary_key } + attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) } end end + # The primary key and inheritance column can never be set by mass-assignment for security reasons. + def attributes_protected_by_default + [ self.class.primary_key, self.class.inheritance_column ] + end + # Returns copy of the attributes hash where all the values have been safely quoted for use in # an SQL statement. def attributes_with_quotes(include_primary_key = true) diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb index da9daa6398..c5a6b7d656 100755 --- a/activerecord/test/base_test.rb +++ b/activerecord/test/base_test.rb @@ -383,6 +383,13 @@ class BasicsTest < Test::Unit::TestCase assert_equal 1, firm.rating end + def test_mass_assignment_protection_on_defaults + firm = Firm.new + firm.attributes = { "id" => 5, "type" => "Client" } + assert_nil firm.id + assert_equal "Firm", firm[:type] + end + def test_mass_assignment_accessible reply = Reply.new("title" => "hello", "content" => "world", "approved" => 0) reply.save |