diff options
Diffstat (limited to 'activemodel/test/cases')
-rw-r--r-- | activemodel/test/cases/mass_assignment_security_test.rb | 39 | ||||
-rw-r--r-- | activemodel/test/cases/secure_password_test.rb | 11 |
2 files changed, 39 insertions, 11 deletions
diff --git a/activemodel/test/cases/mass_assignment_security_test.rb b/activemodel/test/cases/mass_assignment_security_test.rb index f84e55e8d9..b22ce874ea 100644 --- a/activemodel/test/cases/mass_assignment_security_test.rb +++ b/activemodel/test/cases/mass_assignment_security_test.rb @@ -10,10 +10,27 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase assert_equal expected, sanitized end + def test_only_moderator_scope_attribute_accessible + user = SpecialUser.new + expected = { "name" => "John Smith", "email" => "john@smith.com" } + sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true), :moderator) + assert_equal expected, sanitized + + sanitized = user.sanitize_for_mass_assignment({ "name" => "John Smith", "email" => "john@smith.com", "admin" => true }) + assert_equal({}, sanitized) + end + def test_attributes_accessible user = Person.new expected = { "name" => "John Smith", "email" => "john@smith.com" } - sanitized = user.sanitize_for_mass_assignment(expected.merge("super_powers" => true)) + sanitized = user.sanitize_for_mass_assignment(expected.merge("admin" => true)) + assert_equal expected, sanitized + end + + def test_admin_scoped_attributes_accessible + user = Person.new + expected = { "name" => "John Smith", "email" => "john@smith.com", "admin" => true } + sanitized = user.sanitize_for_mass_assignment(expected.merge("super_powers" => true), :admin) assert_equal expected, sanitized end @@ -26,20 +43,30 @@ class MassAssignmentSecurityTest < ActiveModel::TestCase def test_mass_assignment_protection_inheritance assert_blank LoosePerson.accessible_attributes - assert_equal Set.new([ 'credit_rating', 'administrator']), LoosePerson.protected_attributes + assert_equal Set.new(['credit_rating', 'administrator']), LoosePerson.protected_attributes + + assert_blank LoosePerson.accessible_attributes + assert_equal Set.new(['credit_rating']), LoosePerson.protected_attributes(:admin) assert_blank LooseDescendant.accessible_attributes - assert_equal Set.new([ 'credit_rating', 'administrator', 'phone_number']), LooseDescendant.protected_attributes + assert_equal Set.new(['credit_rating', 'administrator', 'phone_number']), LooseDescendant.protected_attributes assert_blank LooseDescendantSecond.accessible_attributes - assert_equal Set.new([ 'credit_rating', 'administrator', 'phone_number', 'name']), LooseDescendantSecond.protected_attributes, + assert_equal Set.new(['credit_rating', 'administrator', 'phone_number', 'name']), LooseDescendantSecond.protected_attributes, 'Running attr_protected twice in one class should merge the protections' assert_blank TightPerson.protected_attributes - TightPerson.attributes_protected_by_default - assert_equal Set.new([ 'name', 'address' ]), TightPerson.accessible_attributes + assert_equal Set.new(['name', 'address']), TightPerson.accessible_attributes + + assert_blank TightPerson.protected_attributes(:admin) - TightPerson.attributes_protected_by_default + assert_equal Set.new(['name', 'address', 'admin']), TightPerson.accessible_attributes(:admin) assert_blank TightDescendant.protected_attributes - TightDescendant.attributes_protected_by_default - assert_equal Set.new([ 'name', 'address', 'phone_number' ]), TightDescendant.accessible_attributes + assert_equal Set.new(['name', 'address', 'phone_number']), TightDescendant.accessible_attributes + + assert_blank TightDescendant.protected_attributes(:admin) - TightDescendant.attributes_protected_by_default + assert_equal Set.new(['name', 'address', 'admin', 'super_powers']), TightDescendant.accessible_attributes(:admin) + end def test_mass_assignment_multiparameter_protector diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb index c455cf57b3..6950c3be1f 100644 --- a/activemodel/test/cases/secure_password_test.rb +++ b/activemodel/test/cases/secure_password_test.rb @@ -45,13 +45,14 @@ class SecurePasswordTest < ActiveModel::TestCase end test "visitor#password_digest should be protected against mass assignment" do - assert Visitor.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::BlackList) - assert Visitor.active_authorizer.include?(:password_digest) + assert Visitor.active_authorizers[:default].kind_of?(ActiveModel::MassAssignmentSecurity::BlackList) + assert Visitor.active_authorizers[:default].include?(:password_digest) end test "Administrator's mass_assignment_authorizer should be WhiteList" do - assert Administrator.active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::WhiteList) - assert !Administrator.active_authorizer.include?(:password_digest) - assert Administrator.active_authorizer.include?(:name) + active_authorizer = Administrator.active_authorizers[:default] + assert active_authorizer.kind_of?(ActiveModel::MassAssignmentSecurity::WhiteList) + assert !active_authorizer.include?(:password_digest) + assert active_authorizer.include?(:name) end end |