@@ -5,6 +5,8 @@ class Comment < ActiveRecord::Base before_save :auto_approve before_save :apply_filter + attr_accessible :author, :author_email, :author_url, :filter_id, :content + def self.per_page 50 end app/models/comment.rb @@ -35,4 +35,18 @@ class CommentTest < Test::Unit::TestCase {:controller => "admin/comments", :action => "index", :format => 'csv', :page_id => "6"} end + def test_not_allowing_update_of_protected_attribs + @comment = Comment.create( + :author => "Evil Approve", + :author_email => "foo@bar.com", + :author_url => "http://www.test.com/", + :content => "Comment approved?", + :approved_at => Time.now, + :approved_by => 1 + ); + @comment = Comment.find_by_author('Evil Approve') + assert_nil(@comment.approved_at) + assert_nil(@comment.approved_by) + end + end test/unit/comment_test.rb 1439aaaee7106ee3f6d24471e43ff6a06b777e28 Martin Sadler mtsbtt@googlemail.com http://github.com/ntalbott/radiant-comments/commit/f4c1921c39ffc15f61657015fcda71f32aaaa4fd f4c1921c39ffc15f61657015fcda71f32aaaa4fd 2008-10-08T01:46:14-07:00 2008-10-08T01:46:14-07:00 security fix: protect from mass assignment 590519cf25fafa7f5b712bbda011700b20cfa22b Martin Sadler mtsbtt@googlemail.com