require "cases/helper" require 'models/company' require 'models/subscriber' require 'models/keyboard' require 'models/task' require 'models/person' class MassAssignmentSecurityTest < ActiveRecord::TestCase def test_customized_primary_key_remains_protected subscriber = Subscriber.new(:nick => 'webster123', :name => 'nice try') assert_nil subscriber.id keyboard = Keyboard.new(:key_number => 9, :name => 'nice try') assert_nil keyboard.id end def test_customized_primary_key_remains_protected_when_referred_to_as_id subscriber = Subscriber.new(:id => 'webster123', :name => 'nice try') assert_nil subscriber.id keyboard = Keyboard.new(:id => 9, :name => 'nice try') assert_nil keyboard.id end def test_mass_assigning_invalid_attribute firm = Firm.new assert_raise(ActiveRecord::UnknownAttributeError) do firm.attributes = { "id" => 5, "type" => "Client", "i_dont_even_exist" => 20 } end end def test_assign_attributes_uses_default_scope_when_no_scope_is_provided p = LoosePerson.new p.assign_attributes(attributes_hash) assert_equal nil, p.id assert_equal 'Josh', p.first_name assert_equal 'male', p.gender assert_equal nil, p.comments end def test_assign_attributes_skips_mass_assignment_security_protection_when_without_protection_is_used p = LoosePerson.new p.assign_attributes(attributes_hash, :without_protection => true) assert_equal 5, p.id assert_equal 'Josh', p.first_name assert_equal 'male', p.gender assert_equal 'rides a sweet bike', p.comments end def test_assign_attributes_with_default_scope_and_attr_protected_attributes p = LoosePerson.new p.assign_attributes(attributes_hash, :as => :default) assert_equal nil, p.id assert_equal 'Josh', p.first_name assert_equal 'male', p.gender assert_equal nil, p.comments end def test_assign_attributes_with_admin_scope_and_attr_protected_attributes p = LoosePerson.new p.assign_attributes(attributes_hash, :as => :admin) assert_equal nil, p.id assert_equal 'Josh', p.first_name assert_equal 'male', p.gender assert_equal 'rides a sweet bike', p.comments end def test_assign_attributes_with_default_scope_and_attr_accessible_attributes p = TightPerson.new p.assign_attributes(attributes_hash, :as => :default) assert_equal nil, p.id assert_equal 'Josh', p.first_name assert_equal 'male', p.gender assert_equal nil, p.comments end def test_assign_attributes_with_admin_scope_and_attr_accessible_attributes p = TightPerson.new p.assign_attributes(attributes_hash, :as => :admin) assert_equal nil, p.id assert_equal 'Josh', p.first_name assert_equal 'male', p.gender assert_equal 'rides a sweet bike', p.comments end def test_protection_against_class_attribute_writers [:logger, :configurations, :primary_key_prefix_type, :table_name_prefix, :table_name_suffix, :pluralize_table_names, :default_timezone, :schema_format, :lock_optimistically, :record_timestamps].each do |method| assert_respond_to Task, method assert_respond_to Task, "#{method}=" assert_respond_to Task.new, method assert !Task.new.respond_to?("#{method}=") end end private def attributes_hash { :id => 5, :first_name => 'Josh', :gender => 'male', :comments => 'rides a sweet bike' } end end