@@ -1,5 +1,6 @@ == master +* Add mass-assignment protection in the Message/MessageRecipient models * Change how the base module is included to prevent namespacing conflicts == 0.1.3 / 2008-09-07 CHANGELOG.rdoc @@ -33,6 +33,10 @@ class Message < ActiveRecord::Base :sender_id, :sender_type + attr_accessible :subject, + :body, + :to, :cc, :bcc + after_save :update_recipients named_scope :visible, app/models/message.rb @@ -31,6 +31,10 @@ class MessageRecipient < ActiveRecord::Base :receiver_id, :receiver_type + attr_protected :state, + :position, + :hidden_at + before_create :set_position before_destroy :reorder_positions app/models/message_recipient.rb @@ -13,12 +13,16 @@ module Factory def valid_attributes_for(model, attributes = {}) name = model.to_s.underscore send("#{name}_attributes", attributes) + attributes.stringify_keys! attributes end # Build an unsaved record def new_record(model, *args) - model.new(valid_attributes_for(model, *args)) + attributes = valid_attributes_for(model, *args) + record = model.new(attributes) + attributes.each {|attr, value| record.send("#{attr}=", value) if model.accessible_attributes && !model.accessible_attributes.include?(attr) || model.protected_attributes && model.protected_attributes.include?(attr)} + record end # Build and save/reload a record test/factory.rb @@ -75,6 +75,28 @@ class MesageRecipientTest < Test::Unit::TestCase recipient = new_message_recipient(:position => nil) assert recipient.valid? end + + def test_should_protect_attributes_from_mass_assignment + recipient = MessageRecipient.new( + :id => 1, + :message_id => 1, + :receiver_id => 1, + :receiver_type => 'User', + :kind => 'bcc', + :position => 10, + :state => 'read', + :hidden_at => Time.now + ) + + assert_nil recipient.id + assert_equal 1, recipient.message_id + assert_equal 1, recipient.receiver_id + assert_equal 'User', recipient.receiver_type + assert_equal 'bcc', recipient.kind + assert_nil recipient.position + assert_equal 'unread', recipient.state + assert_nil recipient.hidden_at + end end class MessageRecipientAfterBeingCreatedTest < Test::Unit::TestCase test/unit/message_recipient_test.rb @@ -60,6 +60,32 @@ class MessageTest < Test::Unit::TestCase message = new_message(:body => nil) assert message.valid? end + + def test_should_protect_attributes_from_mass_assignment + message = Message.new( + :id => 1, + :sender_id => 1, + :sender_type => 'User', + :subject => 'New features', + :body => 'Find out more!', + :to => [1, 2], + :cc => [3, 4], + :bcc => [5, 6], + :state => 'sent', + :hidden_at => Time.now + ) + + assert_nil message.id + assert_nil message.sender_id + assert message.sender_type.blank? + assert_equal 'New features', message.subject + assert_equal 'Find out more!', message.body + assert_equal [1, 2], message.to + assert_equal [3, 4], message.cc + assert_equal [5, 6], message.bcc + assert_equal 'unsent', message.state + assert_nil message.hidden_at + end end class MessageBeforeBeingCreatedTest < Test::Unit::TestCase test/unit/message_test.rb abbf596d1f266cd60e9b7d762269b84236cb27a6 Aaron Pfeifer aaron.pfeifer@gmail.com http://github.com/pluginaweek/has_messages/commit/543f87a4b94b409d2aef13edd155d1e5a6d41d99 543f87a4b94b409d2aef13edd155d1e5a6d41d99 2008-10-26T08:32:42-07:00 2008-10-26T08:32:42-07:00 Add mass-assignment protection in the Message/MessageRecipient models Update Factory helpers to handle protected attributes fd42a54a355345fa511347a00097d1dde513eb0b Aaron Pfeifer aaron.pfeifer@gmail.com