1 files changed, 44 insertions, 0 deletions

diff --git a/activemodel/test/cases/forbidden_attributes_protection_test.rb b/activemodel/test/cases/forbidden_attributes_protection_test.rb
new file mode 100644
index 0000000000..0fd0a2f8ee
--- /dev/null
+++ b/activemodel/test/cases/forbidden_attributes_protection_test.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require "cases/helper"
+require "active_support/core_ext/hash/indifferent_access"
+require "models/account"
+
+class ProtectedParams
+  attr_accessor :permitted
+  alias :permitted? :permitted
+
+  delegate :keys, :key?, :has_key?, :empty?, to: :@parameters
+
+  def initialize(attributes)
+    @parameters = attributes
+    @permitted = false
+  end
+
+  def permit!
+    @permitted = true
+    self
+  end
+
+  def to_h
+    @parameters
+  end
+end
+
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating" do
+    params = ProtectedParams.new("a" => "b")
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Account.new.sanitize_for_mass_assignment(params)
+    end
+  end
+
+  test "permitted attributes can be used for mass updating" do
+    params = ProtectedParams.new("a" => "b").permit!
+    assert_equal({ "a" => "b" }, Account.new.sanitize_for_mass_assignment(params))
+  end
+
+  test "regular attributes should still be allowed" do
+    assert_equal({ a: "b" }, Account.new.sanitize_for_mass_assignment(a: "b"))
+  end
+end