From 6410c70f7caa5045e2f12ebd7aab8d8b6d3e6a0b Mon Sep 17 00:00:00 2001
From: bogdanvlviv <bogdanvlviv@gmail.com>
Date: Thu, 17 Jan 2019 20:10:01 +0000
Subject: Ensure that AR::Relation#exists? allows only permitted params

Clarify changelog entry
Related to #34891
---
 activerecord/test/cases/finder_test.rb               | 8 ++++++--
 activerecord/test/support/stubs/strong_parameters.rb | 8 +++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

(limited to 'activerecord/test')

diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb
index 1c53362bac..b8ce11a791 100644
--- a/activerecord/test/cases/finder_test.rb
+++ b/activerecord/test/cases/finder_test.rb
@@ -226,11 +226,15 @@ class FinderTest < ActiveRecord::TestCase
   end
 
   def test_exists_with_strong_parameters
-    assert_equal false, Subscriber.exists?(Parameters.new(nick: "foo"))
+    assert_equal false, Subscriber.exists?(Parameters.new(nick: "foo").permit!)
 
     Subscriber.create!(nick: "foo")
 
-    assert_equal true, Subscriber.exists?(Parameters.new(nick: "foo"))
+    assert_equal true, Subscriber.exists?(Parameters.new(nick: "foo").permit!)
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Subscriber.exists?(Parameters.new(nick: "foo"))
+    end
   end
 
   def test_exists_passing_active_record_object_is_not_permitted
diff --git a/activerecord/test/support/stubs/strong_parameters.rb b/activerecord/test/support/stubs/strong_parameters.rb
index acba3a4504..84f93a28b9 100644
--- a/activerecord/test/support/stubs/strong_parameters.rb
+++ b/activerecord/test/support/stubs/strong_parameters.rb
@@ -3,10 +3,16 @@
 class Parameters
   def initialize(parameters = {})
     @parameters = parameters.with_indifferent_access
+    @permitted = false
   end
 
   def permitted?
-    true
+    @permitted
+  end
+
+  def permit!
+    @permitted = true
+    self
   end
 
   def to_h
-- 
cgit v1.2.3