From 0e0e774085c478a171894abfa95fff9475a4a826 Mon Sep 17 00:00:00 2001 From: Marcel Molina Date: Wed, 12 Oct 2005 19:59:13 +0000 Subject: Protect id attribute from mass assigment even when the primary key is set to something else. Closes #2438. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@2541 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- activerecord/lib/active_record/base.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'activerecord/lib') diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index dd0fe15b3f..16d9579ed0 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -508,7 +508,7 @@ module ActiveRecord #:nodoc: # customer.credit_rating = "Average" # customer.credit_rating # => "Average" def attr_protected(*attributes) - write_inheritable_array("attr_protected", attributes) + write_inheritable_array("attr_protected", attributes - (protected_attributes || [])) end # Returns an array of all the attributes that have been protected from mass-assignment. @@ -521,7 +521,7 @@ module ActiveRecord #:nodoc: # protection. If you'd rather start from an all-open default and restrict attributes as needed, have a look at # attr_protected. def attr_accessible(*attributes) - write_inheritable_array("attr_accessible", attributes) + write_inheritable_array("attr_accessible", attributes - (accessible_attributes || [])) end # Returns an array of all the attributes that have been made accessible to mass-assignment. @@ -1450,7 +1450,9 @@ module ActiveRecord #:nodoc: # The primary key and inheritance column can never be set by mass-assignment for security reasons. def attributes_protected_by_default - [ self.class.primary_key, self.class.inheritance_column ] + default = [ self.class.primary_key, self.class.inheritance_column ] + default << 'id' unless self.class.primary_key.eql? 'id' + default end # Returns copy of the attributes hash where all the values have been safely quoted for use in -- cgit v1.2.3