diff options
| -rw-r--r-- | activerecord/CHANGELOG | 2 | ||||
| -rwxr-xr-x | activerecord/lib/active_record/base.rb | 2 | ||||
| -rwxr-xr-x | activerecord/test/base_test.rb | 12 |
3 files changed, 16 insertions, 0 deletions
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG index 0ae8cbdd93..945c2238df 100644 --- a/activerecord/CHANGELOG +++ b/activerecord/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Raise an exception if both attr_protected and attr_accessible are declared. #8507 [stellsmi] + * SQLite, MySQL, PostgreSQL, Oracle: quote column names in column migration SQL statements. #8466 [marclove, lorenjohnson] * Allow nil serialized attributes with a set class constraint. #7293 [sandofsky] diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index 36775d74b5..931afa61ba 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -2164,6 +2164,8 @@ module ActiveRecord #:nodoc: attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) } elsif self.class.accessible_attributes.nil? attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) } + else + raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both." end end diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb index 3171e75bac..d74a7b82b5 100755 --- a/activerecord/test/base_test.rb +++ b/activerecord/test/base_test.rb @@ -53,6 +53,12 @@ class Task < ActiveRecord::Base attr_protected :starting end +class TopicWithProtectedContentAndAccessibleAuthorName < ActiveRecord::Base + self.table_name = 'topics' + attr_accessible :author_name + attr_protected :content +end + class BasicsTest < Test::Unit::TestCase fixtures :topics, :companies, :developers, :projects, :computers, :accounts @@ -771,6 +777,12 @@ class BasicsTest < Test::Unit::TestCase assert_raise(ActiveRecord::RecordInvalid) { reply.update_attributes!(:title => nil, :content => "Have a nice evening") } end + def test_mass_assignment_should_raise_exception_if_accessible_and_protected_attribute_writers_are_both_used + topic = TopicWithProtectedContentAndAccessibleAuthorName.new + assert_raises(RuntimeError) { topic.attributes = { "author_name" => "me" } } + assert_raises(RuntimeError) { topic.attributes = { "content" => "stuff" } } + end + def test_mass_assignment_protection firm = Firm.new firm.attributes = { "name" => "Next Angle", "rating" => 5 } |