From e1a882a15b71435ec82a596978429b34d4c73ac5 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Sun, 4 Mar 2012 14:20:13 +0100
Subject: Fix #5069 - Protect foreign key from mass assignment throught
 association builder

---
 .../lib/active_record/associations/association.rb  |  3 ++-
 .../associations/has_many_associations_test.rb     | 22 ++++++++++++++++++++++
 .../associations/has_one_associations_test.rb      | 16 ++++++++++++++++
 3 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/activerecord/lib/active_record/associations/association.rb b/activerecord/lib/active_record/associations/association.rb
index 7887d59aad..59c1bad559 100644
--- a/activerecord/lib/active_record/associations/association.rb
+++ b/activerecord/lib/active_record/associations/association.rb
@@ -231,7 +231,8 @@ module ActiveRecord
 
         def build_record(attributes, options)
           reflection.build_association(attributes, options) do |record|
-            record.assign_attributes(create_scope.except(*record.changed), :without_protection => true)
+            attributes = create_scope.except(*(record.changed - [reflection.foreign_key]))
+            record.assign_attributes(attributes, :without_protection => true)
           end
         end
     end
diff --git a/activerecord/test/cases/associations/has_many_associations_test.rb b/activerecord/test/cases/associations/has_many_associations_test.rb
index 0b03844d50..ead8eaf342 100644
--- a/activerecord/test/cases/associations/has_many_associations_test.rb
+++ b/activerecord/test/cases/associations/has_many_associations_test.rb
@@ -130,6 +130,28 @@ class HasManyAssociationsTest < ActiveRecord::TestCase
     assert_equal car.id, bulb.car_id
   end
 
+  def test_association_protect_foreign_key
+    invoice = Invoice.create
+
+    line_item = invoice.line_items.new
+    assert_equal invoice.id, line_item.invoice_id
+
+    line_item = invoice.line_items.new :invoice_id => invoice.id + 1
+    assert_equal invoice.id, line_item.invoice_id
+
+    line_item = invoice.line_items.build
+    assert_equal invoice.id, line_item.invoice_id
+
+    line_item = invoice.line_items.build :invoice_id => invoice.id + 1
+    assert_equal invoice.id, line_item.invoice_id
+
+    line_item = invoice.line_items.create
+    assert_equal invoice.id, line_item.invoice_id
+
+    line_item = invoice.line_items.create :invoice_id => invoice.id + 1
+    assert_equal invoice.id, line_item.invoice_id
+  end
+
   def test_association_conditions_bypass_attribute_protection
     car = Car.create(:name => 'honda')
 
diff --git a/activerecord/test/cases/associations/has_one_associations_test.rb b/activerecord/test/cases/associations/has_one_associations_test.rb
index 26931e3e85..3ce87df126 100644
--- a/activerecord/test/cases/associations/has_one_associations_test.rb
+++ b/activerecord/test/cases/associations/has_one_associations_test.rb
@@ -397,6 +397,22 @@ class HasOneAssociationsTest < ActiveRecord::TestCase
     assert_equal car.id, bulb.car_id
   end
 
+  def test_association_protect_foreign_key
+    pirate = Pirate.create!(:catchphrase => "Don' botharrr talkin' like one, savvy?")
+
+    ship = pirate.build_ship
+    assert_equal pirate.id, ship.pirate_id
+
+    ship = pirate.build_ship :pirate_id => pirate.id + 1
+    assert_equal pirate.id, ship.pirate_id
+
+    ship = pirate.create_ship
+    assert_equal pirate.id, ship.pirate_id
+
+    ship = pirate.create_ship :pirate_id => pirate.id + 1
+    assert_equal pirate.id, ship.pirate_id
+  end
+
   def test_association_conditions_bypass_attribute_protection
     car = Car.create(:name => 'honda')
 
-- 
cgit v1.2.3