From b93a918337e99c3fe3ad059f093b1ee56b9e6a7d Mon Sep 17 00:00:00 2001 From: Bogdan Gusiev Date: Thu, 28 Jul 2011 11:56:08 +0300 Subject: MassAssignmentProtection: consider 'id' insensetive in StrictSanitizer In order to use StrictSanitizer in test mode Consider :id as not sensetive attribute that can be filtered from mass assignement without exception. --- .../test/cases/mass_assignment_security/sanitizer_test.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'activemodel/test/cases/mass_assignment_security') diff --git a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb index 62a6ec9c9b..676937b5e1 100644 --- a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb +++ b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb @@ -7,7 +7,7 @@ class SanitizerTest < ActiveModel::TestCase class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet def deny?(key) - key.in?(['admin']) + ['admin', 'id'].include?(key) end end @@ -40,4 +40,12 @@ class SanitizerTest < ActiveModel::TestCase end end + test "mass assignment insensitive attributes" do + original_attributes = {'id' => 1, 'first_name' => 'allowed'} + + assert_nothing_raised do + @strict_sanitizer.sanitize(original_attributes, @authorizer) + end + end + end -- cgit v1.2.3