diff options
Diffstat (limited to 'activemodel/test/cases/forbidden_attributes_protection_test.rb')
-rw-r--r-- | activemodel/test/cases/forbidden_attributes_protection_test.rb | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/activemodel/test/cases/forbidden_attributes_protection_test.rb b/activemodel/test/cases/forbidden_attributes_protection_test.rb new file mode 100644 index 0000000000..0fd0a2f8ee --- /dev/null +++ b/activemodel/test/cases/forbidden_attributes_protection_test.rb @@ -0,0 +1,44 @@ +# frozen_string_literal: true + +require "cases/helper" +require "active_support/core_ext/hash/indifferent_access" +require "models/account" + +class ProtectedParams + attr_accessor :permitted + alias :permitted? :permitted + + delegate :keys, :key?, :has_key?, :empty?, to: :@parameters + + def initialize(attributes) + @parameters = attributes + @permitted = false + end + + def permit! + @permitted = true + self + end + + def to_h + @parameters + end +end + +class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase + test "forbidden attributes cannot be used for mass updating" do + params = ProtectedParams.new("a" => "b") + assert_raises(ActiveModel::ForbiddenAttributesError) do + Account.new.sanitize_for_mass_assignment(params) + end + end + + test "permitted attributes can be used for mass updating" do + params = ProtectedParams.new("a" => "b").permit! + assert_equal({ "a" => "b" }, Account.new.sanitize_for_mass_assignment(params)) + end + + test "regular attributes should still be allowed" do + assert_equal({ a: "b" }, Account.new.sanitize_for_mass_assignment(a: "b")) + end +end |