Protect id attribute from mass assigment even when the primary key is set to...

Protect id attribute from mass assigment even when the primary key is set to something else. Closes #2438. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@2541 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Protect id attribute from mass assigment even when the primary key is set to...
Protect id attribute from mass assigment even when the primary key is set to something else. Closes #2438. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@2541 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
0e0e7740 · Marcel Molina · f0b2b637 · 0e0e7740 · 0e0e7740 · 0e0e7740
Showing with 25 addition and 3 deletion

activerecord/CHANGELOG activerecord/CHANGELOG +2 -0

activerecord/lib/active_record/base.rb activerecord/lib/active_record/base.rb +5 -3

activerecord/test/base_test.rb activerecord/test/base_test.rb +18 -0

未找到文件。
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
 *SVN*

+* Protect id attribute from mass assigment even when the primary key is set to something else. #2438. [Blair Zajac <blair@orcaware.com>]
+
 * Misc doc fixes (typos/grammar/etc.). #2430. [coffee2code]

 * Add test coverage for content_columns. #2432. [coffee2code]

--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -508,7 +508,7 @@ def decrement_counter(counter_name, id)
      #   customer.credit_rating = "Average"
      #   customer.credit_rating # => "Average"
      def attr_protected(*attributes)
-        write_inheritable_array("attr_protected", attributes)
+        write_inheritable_array("attr_protected", attributes - (protected_attributes || []))
      end

      # Returns an array of all the attributes that have been protected from mass-assignment.
@@ -521,7 +521,7 @@ def protected_attributes # :nodoc:
      # protection. If you'd rather start from an all-open default and restrict attributes as needed, have a look at
      # attr_protected.
      def attr_accessible(*attributes)
-        write_inheritable_array("attr_accessible", attributes)
+        write_inheritable_array("attr_accessible", attributes - (accessible_attributes || []))
      end

      # Returns an array of all the attributes that have been made accessible to mass-assignment.
@@ -1450,7 +1450,9 @@ def remove_attributes_protected_from_mass_assignment(attributes)

      # The primary key and inheritance column can never be set by mass-assignment for security reasons.
      def attributes_protected_by_default
-        [ self.class.primary_key, self.class.inheritance_column ]
+        default = [ self.class.primary_key, self.class.inheritance_column ]
+        default << 'id' unless self.class.primary_key.eql? 'id'
+        default
      end

      # Returns copy of the attributes hash where all the values have been safely quoted for use in

--- a/activerecord/test/base_test.rb
+++ b/activerecord/test/base_test.rb
@@ -7,6 +7,8 @@
 require 'fixtures/default'
 require 'fixtures/auto_id'
 require 'fixtures/column_name'
+require 'fixtures/subscriber'
+require 'fixtures/keyboard'

 class Category < ActiveRecord::Base; end
 class Smarts < ActiveRecord::Base; end
@@ -526,6 +528,22 @@ def test_mass_assignment_protection
    firm.attributes = { "name" => "Next Angle", "rating" => 5 }
    assert_equal 1, firm.rating
  end
+
+  def test_customized_primary_key_remains_protected
+    subscriber = Subscriber.new(:nick => 'webster123', :name => 'nice try')
+    assert_nil subscriber.id
+
+    keyboard = Keyboard.new(:key_number => 9, :name => 'nice try')
+    assert_nil keyboard.id
+  end
+
+  def test_customized_primary_key_remains_protected_when_refered_to_as_id
+    subscriber = Subscriber.new(:id => 'webster123', :name => 'nice try')
+    assert_nil subscriber.id
+
+    keyboard = Keyboard.new(:id => 9, :name => 'nice try')
+    assert_nil keyboard.id
+  end
  
  def test_mass_assignment_protection_on_defaults
    firm = Firm.new