aboutsummaryrefslogtreecommitdiffstats
path: root/activemodel/test/cases/mass_assignment_security_test.rb
diff options
context:
space:
mode:
Diffstat (limited to 'activemodel/test/cases/mass_assignment_security_test.rb')
-rw-r--r--activemodel/test/cases/mass_assignment_security_test.rb52
1 files changed, 52 insertions, 0 deletions
diff --git a/activemodel/test/cases/mass_assignment_security_test.rb b/activemodel/test/cases/mass_assignment_security_test.rb
new file mode 100644
index 0000000000..0f7a38b0bc
--- /dev/null
+++ b/activemodel/test/cases/mass_assignment_security_test.rb
@@ -0,0 +1,52 @@
+require "cases/helper"
+require 'models/mass_assignment_specific'
+
+class MassAssignmentSecurityTest < ActiveModel::TestCase
+
+ def test_attribute_protection
+ user = User.new
+ expected = { "name" => "John Smith", "email" => "john@smith.com" }
+ sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true))
+ assert_equal expected, sanitized
+ end
+
+ def test_attributes_accessible
+ user = Person.new
+ expected = { "name" => "John Smith", "email" => "john@smith.com" }
+ sanitized = user.sanitize_for_mass_assignment(expected.merge("super_powers" => true))
+ assert_equal expected, sanitized
+ end
+
+ def test_attributes_protected_by_default
+ firm = Firm.new
+ expected = { }
+ sanitized = firm.sanitize_for_mass_assignment({ "type" => "Client" })
+ assert_equal expected, sanitized
+ end
+
+ def test_mass_assignment_protection_inheritance
+ assert LoosePerson.accessible_attributes.blank?
+ assert_equal Set.new([ 'credit_rating', 'administrator']), LoosePerson.protected_attributes
+
+ assert LooseDescendant.accessible_attributes.blank?
+ assert_equal Set.new([ 'credit_rating', 'administrator', 'phone_number']), LooseDescendant.protected_attributes
+
+ assert LooseDescendantSecond.accessible_attributes.blank?
+ assert_equal Set.new([ 'credit_rating', 'administrator', 'phone_number', 'name']), LooseDescendantSecond.protected_attributes,
+ 'Running attr_protected twice in one class should merge the protections'
+
+ assert (TightPerson.protected_attributes - TightPerson.attributes_protected_by_default).blank?
+ assert_equal Set.new([ 'name', 'address' ]), TightPerson.accessible_attributes
+
+ assert (TightDescendant.protected_attributes - TightDescendant.attributes_protected_by_default).blank?
+ assert_equal Set.new([ 'name', 'address', 'phone_number' ]), TightDescendant.accessible_attributes
+ end
+
+ def test_mass_assignment_multiparameter_protector
+ task = Task.new
+ attributes = { "starting(1i)" => "2004", "starting(2i)" => "6", "starting(3i)" => "24" }
+ sanitized = task.sanitize_for_mass_assignment(attributes)
+ assert_equal sanitized, { }
+ end
+
+end \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 11:30:27 +0000