From e1a882a15b71435ec82a596978429b34d4c73ac5 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Sun, 4 Mar 2012 14:20:13 +0100
Subject: Fix #5069 - Protect foreign key from mass assignment throught
 association builder

---
 activerecord/lib/active_record/associations/association.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'activerecord/lib/active_record/associations')

diff --git a/activerecord/lib/active_record/associations/association.rb b/activerecord/lib/active_record/associations/association.rb
index 7887d59aad..59c1bad559 100644
--- a/activerecord/lib/active_record/associations/association.rb
+++ b/activerecord/lib/active_record/associations/association.rb
@@ -231,7 +231,8 @@ module ActiveRecord
 
         def build_record(attributes, options)
           reflection.build_association(attributes, options) do |record|
-            record.assign_attributes(create_scope.except(*record.changed), :without_protection => true)
+            attributes = create_scope.except(*(record.changed - [reflection.foreign_key]))
+            record.assign_attributes(attributes, :without_protection => true)
           end
         end
     end
-- 
cgit v1.2.3