From 09daaaa1e0481207c06416f909171d4f66bc0f6d Mon Sep 17 00:00:00 2001
From: Andrew White <andyw@pixeltrix.co.uk>
Date: Sat, 21 May 2011 16:28:11 +0100
Subject: Add support for passing mass assignment roles to dynamic finders.
 Closes #1170.

---
 .../lib/active_record/relation/finder_methods.rb   |  4 +-
 .../test/cases/mass_assignment_security_test.rb    | 48 ++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)

(limited to 'activerecord')

diff --git a/activerecord/lib/active_record/relation/finder_methods.rb b/activerecord/lib/active_record/relation/finder_methods.rb
index 475e4338ca..4659563f33 100644
--- a/activerecord/lib/active_record/relation/finder_methods.rb
+++ b/activerecord/lib/active_record/relation/finder_methods.rb
@@ -264,6 +264,7 @@ module ActiveRecord
     end
 
     def find_or_instantiator_by_attributes(match, attributes, *args)
+      options = args.size > 1 && args.last(2).all?{ |a| a.is_a?(Hash) } ? args.extract_options! : {}
       protected_attributes_for_create, unprotected_attributes_for_create = {}, {}
       args.each_with_index do |arg, i|
         if arg.is_a?(Hash)
@@ -278,8 +279,7 @@ module ActiveRecord
       record = where(conditions).first
 
       unless record
-        record = @klass.new do |r|
-          r.assign_attributes(protected_attributes_for_create)
+        record = @klass.new(protected_attributes_for_create, options) do |r|
           r.assign_attributes(unprotected_attributes_for_create, :without_protection => true)
         end
         yield(record) if block_given?
diff --git a/activerecord/test/cases/mass_assignment_security_test.rb b/activerecord/test/cases/mass_assignment_security_test.rb
index 765033852d..33737e12a8 100644
--- a/activerecord/test/cases/mass_assignment_security_test.rb
+++ b/activerecord/test/cases/mass_assignment_security_test.rb
@@ -239,6 +239,54 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase
     end
   end
 
+  def test_find_or_initialize_by_with_attr_accessible_attributes
+    p = TightPerson.find_or_initialize_by_first_name('Josh', attributes_hash)
+
+    assert_default_attributes(p)
+  end
+
+  def test_find_or_initialize_by_with_admin_role_with_attr_accessible_attributes
+    p = TightPerson.find_or_initialize_by_first_name('Josh', attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p)
+  end
+
+  def test_find_or_initialize_by_with_attr_protected_attributes
+    p = LoosePerson.find_or_initialize_by_first_name('Josh', attributes_hash)
+
+    assert_default_attributes(p)
+  end
+
+  def test_find_or_initialize_by_with_admin_role_with_attr_protected_attributes
+    p = LoosePerson.find_or_initialize_by_first_name('Josh', attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p)
+  end
+
+  def test_find_or_create_by_with_attr_accessible_attributes
+    p = TightPerson.find_or_create_by_first_name('Josh', attributes_hash)
+
+    assert_default_attributes(p, true)
+  end
+
+  def test_find_or_create_by_with_admin_role_with_attr_accessible_attributes
+    p = TightPerson.find_or_create_by_first_name('Josh', attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p, true)
+  end
+
+  def test_find_or_create_by_with_attr_protected_attributes
+    p = LoosePerson.find_or_create_by_first_name('Josh', attributes_hash)
+
+    assert_default_attributes(p, true)
+  end
+
+  def test_find_or_create_by_with_admin_role_with_attr_protected_attributes
+    p = LoosePerson.find_or_create_by_first_name('Josh', attributes_hash, :as => :admin)
+
+    assert_admin_attributes(p, true)
+  end
+
 end
 
 
-- 
cgit v1.2.3