From 95454bfb33a9b29703dbbf04d1a71d06a68ae787 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sun, 23 Jan 2005 17:24:54 +0000
Subject: Added mass-assignment protection for the inheritance column --
 regardless of a custom column is used or not

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@477 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 activerecord/lib/active_record/base.rb | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'activerecord/lib/active_record')

diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
index bae91da22d..8ae636afbb 100755
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -1098,14 +1098,19 @@ module ActiveRecord #:nodoc:
 
       def remove_attributes_protected_from_mass_assignment(attributes)
         if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
-          attributes.reject { |key, value| key == self.class.primary_key }
+          attributes.reject { |key, value| attributes_protected_by_default.include?(key) }
         elsif self.class.protected_attributes.nil?
-          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || key == self.class.primary_key }
+          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
         elsif self.class.accessible_attributes.nil?
-          attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || key == self.class.primary_key }
+          attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
         end
       end
 
+      # The primary key and inheritance column can never be set by mass-assignment for security reasons.
+      def attributes_protected_by_default
+        [ self.class.primary_key, self.class.inheritance_column ]
+      end
+
       # Returns copy of the attributes hash where all the values have been safely quoted for use in
       # an SQL statement. 
       def attributes_with_quotes(include_primary_key = true)
-- 
cgit v1.2.3