1 files changed, 63 insertions, 0 deletions

diff --git a/activerecord/test/cases/forbidden_attributes_protection_test.rb b/activerecord/test/cases/forbidden_attributes_protection_test.rb
new file mode 100644
index 0000000000..cf462297ef
--- /dev/null
+++ b/activerecord/test/cases/forbidden_attributes_protection_test.rb
@@ -0,0 +1,63 @@
+require 'cases/helper'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'models/person'
+
+class ProtectedParams < ActiveSupport::HashWithIndifferentAccess
+  attr_accessor :permitted
+  alias :permitted? :permitted
+
+  def initialize(attributes)
+    super(attributes)
+    @permitted = false
+  end
+
+  def permit!
+    @permitted = true
+    self
+  end
+
+  def dup
+    super.tap do |duplicate|
+      duplicate.instance_variable_set :@permitted, @permitted
+    end
+  end
+end
+
+class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
+  def test_forbidden_attributes_cannot_be_used_for_mass_assignment
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+    assert_raises(ActiveModel::ForbiddenAttributes) do
+      Person.new(params)
+    end
+  end
+
+  def test_permitted_attributes_can_be_used_for_mass_assignment
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+    params.permit!
+    assert_nothing_raised do
+      person = Person.new(params)
+
+      assert_equal 'Guille', person.first_name
+      assert_equal 'm', person.gender
+    end
+  end
+
+  def test_regular_hash_should_still_be_used_for_mass_assignment
+    assert_nothing_raised do
+      person = Person.new(first_name: 'Guille', gender: 'm')
+
+      assert_equal 'Guille', person.first_name
+      assert_equal 'm', person.gender
+    end
+  end
+
+  def test_protected_attributes_cannot_be_used_for_mass_assignment
+    params = ProtectedParams.new(id: 1, first_name: 'Guille', gender: 'm')
+    params.permit!
+    person = Person.new(params)
+
+    assert_equal 'Guille', person.first_name
+    assert_equal 'm', person.gender
+    assert_not_equal 1, person.id
+  end
+end