diff options
| -rw-r--r-- | activerecord/CHANGELOG.md | 5 | ||||
| -rw-r--r-- | activerecord/lib/active_record/associations/association.rb | 3 | ||||
| -rw-r--r-- | activerecord/test/cases/associations/has_many_associations_test.rb | 8 |
3 files changed, 15 insertions, 1 deletions
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index e3ed3780db..1a34ed441f 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,5 +1,10 @@ ## Rails 4.0.0 (unreleased) ## +* Prevent mass assignment to the type column of polymorphic associations when using `build` + Fix #8265 + + *Yves Senn* + * Deprecate calling `Relation#sum` with a block. To perform a calculation over the array result of the relation, use `to_a.sum(&block)`. diff --git a/activerecord/lib/active_record/associations/association.rb b/activerecord/lib/active_record/associations/association.rb index 99e7383d42..3f0e4ca999 100644 --- a/activerecord/lib/active_record/associations/association.rb +++ b/activerecord/lib/active_record/associations/association.rb @@ -232,7 +232,8 @@ module ActiveRecord def build_record(attributes) reflection.build_association(attributes) do |record| - attributes = create_scope.except(*(record.changed - [reflection.foreign_key])) + skip_assign = [reflection.foreign_key, reflection.type].compact + attributes = create_scope.except(*(record.changed - skip_assign)) record.assign_attributes(attributes) end end diff --git a/activerecord/test/cases/associations/has_many_associations_test.rb b/activerecord/test/cases/associations/has_many_associations_test.rb index 6cdc166533..2ded97582d 100644 --- a/activerecord/test/cases/associations/has_many_associations_test.rb +++ b/activerecord/test/cases/associations/has_many_associations_test.rb @@ -1579,6 +1579,14 @@ class HasManyAssociationsTest < ActiveRecord::TestCase assert_equal [tagging], post.taggings end + def test_build_with_polymotphic_has_many_does_not_allow_to_override_type_and_id + welcome = posts(:welcome) + tagging = welcome.taggings.build(:taggable_id => 99, :taggable_type => 'ShouldNotChange') + + assert_equal welcome.id, tagging.taggable_id + assert_equal 'Post', tagging.taggable_type + end + def test_dont_call_save_callbacks_twice_on_has_many firm = companies(:first_firm) contract = firm.contracts.create! |