Add tests for attr_protected

test/apps/rails3/app/controllers/products_controller.rb

+class ProductsController < ApplicationController
+  # GET /products
+  # GET /products.xml
+  def index
+    @products = Product.all
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.xml  { render :xml => @products }
+    end
+  end
+
+  # GET /products/1
+  # GET /products/1.xml
+  def show
+    @product = Product.find(params[:id])
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.xml  { render :xml => @product }
+    end
+  end
+
+  # GET /products/new
+  # GET /products/new.xml
+  def new
+    @product = Product.new
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.xml  { render :xml => @product }
+    end
+  end
+
+  # GET /products/1/edit
+  def edit
+    @product = Product.find(params[:id])
+  end
+
+  # POST /products
+  # POST /products.xml
+  def create
+    @product = Product.new(params[:product])
+
+    respond_to do |format|
+      if @product.save
+        format.html { redirect_to(@product, :notice => 'Product was successfully created.') }
+        format.xml  { render :xml => @product, :status => :created, :location => @product }
+      else
+        format.html { render :action => "new" }
+        format.xml  { render :xml => @product.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # PUT /products/1
+  # PUT /products/1.xml
+  def update
+    @product = Product.find(params[:id])
+
+    respond_to do |format|
+      if @product.update_attributes(params[:product])
+        format.html { redirect_to(@product, :notice => 'Product was successfully updated.') }
+        format.xml  { head :ok }
+      else
+        format.html { render :action => "edit" }
+        format.xml  { render :xml => @product.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /products/1
+  # DELETE /products/1.xml
+  def destroy
+    @product = Product.find(params[:id])
+    @product.destroy
+
+    respond_to do |format|
+      format.html { redirect_to(products_url) }
+      format.xml  { head :ok }
+    end
+  end
+end

test/apps/rails3/app/helpers/products_helper.rb

+module ProductsHelper
+end

test/apps/rails3/app/models/product.rb

+class Product < ActiveRecord::Base
+  attr_protected :price
+end

test/apps/rails3/app/views/products/_form.html.erb

+<%= form_for(@product) do |f| %>
+  <% if @product.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@product.errors.count, "error") %> prohibited this product from being saved:</h2>
+
+      <ul>
+      <% @product.errors.full_messages.each do |msg| %>
+        <li><%= msg %></li>
+      <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div class="field">
+    <%= f.label :price %><br />
+    <%= f.text_field :price %>
+  </div>
+  <div class="actions">
+    <%= f.submit %>
+  </div>
+<% end %>

test/apps/rails3/app/views/products/edit.html.erb

+<h1>Editing product</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Show', @product %> |
+<%= link_to 'Back', products_path %>

test/apps/rails3/app/views/products/index.html.erb

+<h1>Listing products</h1>
+
+<table>
+  <tr>
+    <th>Price</th>
+    <th></th>
+    <th></th>
+    <th></th>
+  </tr>
+
+<% @products.each do |product| %>
+  <tr>
+    <td><%= product.price %></td>
+    <td><%= link_to 'Show', product %></td>
+    <td><%= link_to 'Edit', edit_product_path(product) %></td>
+    <td><%= link_to 'Destroy', product, :confirm => 'Are you sure?', :method => :delete %></td>
+  </tr>
+<% end %>
+</table>
+
+<br />
+
+<%= link_to 'New Product', new_product_path %>

test/apps/rails3/app/views/products/new.html.erb

+<h1>New product</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Back', products_path %>

test/apps/rails3/app/views/products/show.html.erb

+<p id="notice"><%= notice %></p>
+
+<p>
+  <b>Price:</b>
+  <%= @product.price %>
+</p>
+
+
+<%= link_to 'Edit', edit_product_path(@product) %> |
+<%= link_to 'Back', products_path %>

test/apps/rails3/config/routes.rb

 Rails3::Application.routes.draw do
+  resources :products
+
   get "other/test_locals"
 
   get "other/test_object"

test/tests/test_rails3.rb

@@ -13,9 +13,9 @@ class Rails3Tests < Test::Unit::TestCase
   def expected
     @expected ||= {
       :controller => 1,
-      :model => 4,
+      :model => 5,
       :template => 18,
-      :warning => 18
+      :warning => 21
     }
   end
 
@@ -77,6 +77,24 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /home_controller\.rb/
   end
 
+  def test_protected_mass_assignment
+    assert_warning :type => :warning,
+      :warning_type => "Mass Assignment",
+      :line => 43,
+      :message => /^Unprotected mass assignment near line 43: Product.new/,
+      :confidence => 2,
+      :file => /products_controller\.rb/
+  end
+
+  def test_protected_mass_assignment_update
+    assert_warning :type => :warning,
+      :warning_type => "Mass Assignment",
+      :line => 62,
+      :message => /^Unprotected mass assignment near line 62: Product.find/,
+      :confidence => 2,
+      :file => /products_controller\.rb/
+  end
+
   def test_redirect
     assert_warning :type => :warning,
       :warning_type => "Redirect",
@@ -86,6 +104,15 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /home_controller\.rb/
   end
 
+  def test_redirect_to_model
+    assert_warning :type => :warning,
+      :warning_type => "Redirect",
+      :line => 63,
+      :message => /^Possible unprotected redirect near line 63: redirect_to/,
+      :confidence => 2,
+      :file => /products_controller\.rb/
+  end
+
   def test_render_path
     assert_warning :type => :warning,
       :warning_type => "Dynamic Render Path",
@@ -147,6 +174,14 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /account, user\.rb/
   end
 
+  def test_attr_protected
+    assert_warning :type => :model,
+      :warning_type => "Attribute Restriction",
+      :message => /^attr_accessible is recommended over attr_protected/,
+      :confidence => 2,
+      :file => /product\.rb/
+  end
+
   def test_format_validation
     assert_warning :type => :model,
       :warning_type => "Format Validation",
@@ -391,7 +426,7 @@ class Rails3Tests < Test::Unit::TestCase
 
   def test_default_routes
     assert_warning :warning_type => "Default Routes",
-      :line => 93,
+      :line => 95,
       :message => /All public methods in controllers are available as actions/,
       :file => /routes\.rb/
   end
@@ -420,4 +455,3 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /Gemfile/
   end
 end
-