Add attr_accessible to all models (for Rails 3.2 compatibility) and p…

…rotect Survey#acesss_code, #active_at, #inactive_at, ResponseSet#access_code, #started_at, #completed_at, as well as (on all models that have them) #api_id, #created_at, #modified_at. See http://weblog.rubyonrails.org/2012/3/30/ann-rails-3-2-3-has-been-released/ Closes #302. Changes #263.

lib/surveyor/models/answer_methods.rb

@@ -20,6 +20,9 @@ def self.included(base)
           # base.send :validates_numericality_of, :question_id, :allow_nil => false, :only_integer => true
           @@validations_already_included = true
         end
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :question, :question_id, :text, :short_text, :help_text, :weight, :response_class, :reference_identifier, :data_export_identifier, :common_namespace, :common_identifier, :display_order, :is_exclusive, :display_length, :custom_class, :custom_renderer, :default_value, :display_type
       end
 
       include RenderText      

lib/surveyor/models/dependency_condition_methods.rb

@@ -21,7 +21,10 @@ def self.included(base)
         end
 
         base.send :include, Surveyor::ActsAsResponse # includes "as" instance method
-
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :dependency, :question, :answer, :dependency_id, :rule_key, :question_id, :operator, :answer_id, :datetime_value, :integer_value, :float_value, :unit, :text_value, :string_value, :response_other
+
         # Class methods
         base.instance_eval do
           def operators

lib/surveyor/models/dependency_methods.rb

@@ -18,6 +18,9 @@ def self.included(base)
           @@validations_already_included = true
         end
 
+        # Whitelisting attributes
+        base.send :attr_accessible, :question, :question_group, :question_id, :question_group_id, :rule
+
         # Attribute aliases
         base.send :alias_attribute, :dependent_question_id, :question_id
       end

lib/surveyor/models/question_group_methods.rb

@@ -7,6 +7,9 @@ def self.included(base)
         # Associations
         base.send :has_many, :questions
         base.send :has_one, :dependency
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :text, :help_text, :reference_identifier, :data_export_identifier, :common_namespace, :common_identifier, :display_type, :custom_class, :custom_renderer
       end
 
       include RenderText

lib/surveyor/models/question_methods.rb

@@ -25,6 +25,9 @@ def self.included(base)
           @@validations_already_included = true
 
         end
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :survey_section, :question_group, :survey_section_id, :question_group_id, :text, :short_text, :help_text, :pick, :reference_identifier, :data_export_identifier, :common_namespace, :common_identifier, :display_order, :display_type, :is_mandatory, :display_width, :custom_class, :custom_renderer, :correct_answer_id
       end
 
       include RenderText

lib/surveyor/models/response_methods.rb

@@ -19,6 +19,9 @@ def self.included(base)
         end
         base.send :include, Surveyor::ActsAsResponse # includes "as" instance method
 
+        # Whitelisting attributes
+        base.send :attr_accessible, :response_set, :question, :answer, :date_value, :time_value, :response_set_id, :question_id, :answer_id, :datetime_value, :integer_value, :float_value, :unit, :text_value, :string_value, :response_other, :response_group, :survey_section_id
+
         # Class methods
         base.instance_eval do
           def applicable_attributes(attrs)

lib/surveyor/models/response_set_methods.rb

@@ -24,6 +24,9 @@ def self.included(base)
 
         # Attributes
         base.send :attr_protected, :completed_at
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :survey, :responses_attributes, :user_id, :survey_id
 
         # Class methods
         base.instance_eval do

lib/surveyor/models/survey_methods.rb

@@ -20,7 +20,10 @@ def self.included(base)
           base.send :validates_uniqueness_of, :access_code
 
           @@validations_already_included = true
-        end        
+        end
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :title, :description, :reference_identifier, :data_export_identifier, :common_namespace, :common_identifier, :css_url, :custom_class, :display_order
 
         # Class methods
         base.instance_eval do

lib/surveyor/models/survey_section_methods.rb

@@ -19,6 +19,9 @@ def self.included(base)
 
           @@validations_already_included = true
         end
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :survey, :survey_id, :title, :description, :reference_identifier, :data_export_identifier, :common_namespace, :common_identifier, :display_order, :custom_class
       end
 
       # Instance Methods

lib/surveyor/models/validation_condition_methods.rb

@@ -6,7 +6,6 @@ def self.included(base)
         base.send :belongs_to, :validation
 
         # Scopes
-
         @@validations_already_included ||= nil
         unless @@validations_already_included
           # Validations
@@ -20,7 +19,10 @@ def self.included(base)
         end
 
         base.send :include, Surveyor::ActsAsResponse # includes "as" instance method
-
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :validation, :validation_id, :rule_key, :operator, :question_id, :answer_id, :datetime_value, :integer_value, :float_value, :unit, :text_value, :string_value, :response_other, :regexp
+
         # Class methods
         base.instance_eval do
           def operators

lib/surveyor/models/validation_methods.rb

@@ -18,6 +18,9 @@ def self.included(base)
 
           @@validations_already_included = true
         end
+
+        # Whitelisting attributes
+        base.send :attr_accessible, :answer, :answer_id, :rule, :message
       end
 
       # Instance Methods

lib/surveyor/parser.rb

@@ -133,6 +133,8 @@ class Question < ActiveRecord::Base
   # attributes
   attr_accessor :correct, :context_reference
   before_save :resolve_correct_answers
+
+  attr_accessible :correct, :context_reference
 
   def self.parse_and_build(context, args, original_method, reference_identifier)
     # clear context
@@ -154,7 +156,7 @@ def self.parse_and_build(context, args, original_method, reference_identifier)
     # add grid answers
     if context[:question_group] && context[:question_group].display_type == "grid"
       (context[:grid_answers] || []).each do |grid_answer|
-        a = context[:question].answers.build(grid_answer.attributes)
+        a = context[:question].answers.build(grid_answer.attributes.reject{|k,v| %w(id api_id created_at updated_at).include?(k)})
         context[:answer_references][reference_identifier] ||= {} unless reference_identifier.blank?
         context[:answer_references][reference_identifier][grid_answer.reference_identifier] = a unless reference_identifier.blank? or grid_answer.reference_identifier.blank?
       end
@@ -190,6 +192,8 @@ class DependencyCondition < ActiveRecord::Base
   attr_accessor :question_reference, :answer_reference, :context_reference
   before_save :resolve_references
 
+  attr_accessible :question_reference, :answer_reference, :context_reference
+
   def self.parse_and_build(context, args, original_method, reference_identifier)
     # clear context
     context.delete_if{|k,v| k == :dependency_condition}

lib/surveyor/redcap_parser.rb

@@ -161,6 +161,8 @@ def self.decompose_rule(str)
 class DependencyCondition < ActiveRecord::Base
   attr_accessor :question_reference, :answer_reference, :lookup_reference
   before_save :resolve_references
+  attr_accessible :question_reference, :answer_reference, :lookup_reference
+
   def resolve_references
     return unless lookup_reference
     print "resolve(#{question_reference},#{answer_reference})"

spec/models/answer_spec.rb

@@ -42,6 +42,13 @@
     @answer.api_id.length.should == 36
   end
 
+  it "should protect api_id, timestamps" do
+    saved_attrs = @answer.attributes
+    lambda {@answer.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@answer.update_attributes(:api_id => "NEW")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @answer.attributes.should == saved_attrs
+  end
+
   require 'mustache'
   class FakeMustacheContext < ::Mustache
     def site

spec/models/dependency_condition_spec.rb

@@ -78,6 +78,13 @@
       @dependency_condition.stub!(:is_met?).and_return(true)
       @dependency_condition.to_hash(@rs)
     end
+
+    it "should protect timestamps" do
+      saved_attrs = @dependency_condition.attributes
+      lambda {@dependency_condition.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+      @dependency_condition.attributes.should == saved_attrs
+    end
+
   end
 
   describe "to_hash" do

spec/models/dependency_spec.rb

@@ -43,6 +43,11 @@
     @dependency.rule = "a and b"
     @dependency.should have(1).error_on(:rule)
   end
+  it "should protect timestamps" do
+    saved_attrs = @dependency.attributes
+    lambda {@dependency.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @dependency.attributes.should == saved_attrs
+  end
 
 end
 

spec/models/question_group_spec.rb

@@ -32,4 +32,11 @@
     @dependency.should_receive(:is_met?).and_return(false)
     @question_group.css_class(Factory(:response_set)).should == "g_dependent g_hidden foo bar"
   end
+  it "should protect api_id, timestamps" do
+    saved_attrs = @question_group.attributes
+    lambda {@question_group.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@question_group.update_attributes(:api_id => "NEW")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @question_group.attributes.should == saved_attrs
+  end
+
 end

spec/models/question_spec.rb

@@ -42,6 +42,13 @@
   it "should have an api_id" do
     @question.api_id.length.should == 36
   end
+
+  it "should protect api_id, timestamps" do
+    saved_attrs = @question.attributes
+    lambda {@question.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@question.update_attributes(:api_id => "NEW")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @question.attributes.should == saved_attrs
+  end
 end
 
 describe Question, "that has answers" do

spec/models/response_set_spec.rb

@@ -12,14 +12,26 @@
     @response_set.access_code.should_not be_nil
     @response_set.access_code.length.should == 10
   end
+
+  it "should protect api_id, timestamps" do
+    saved_attrs = @response_set.attributes
+    lambda {@response_set.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@response_set.update_attributes(:api_id => "NEW")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@response_set.update_attributes(:access_code => "AND")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@response_set.update_attributes(:started_at => 10.days.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@response_set.update_attributes(:completed_at => 2.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @response_set.attributes.should == saved_attrs
+  end
 
   describe '#access_code' do
     let!(:rs1) { Factory(:response_set).tap { |rs| rs.update_attribute(:access_code, 'one') } }
     let!(:rs2) { Factory(:response_set).tap { |rs| rs.update_attribute(:access_code, 'two') } }
 
     # Regression test for #263
     it 'accepts an access code in the constructor' do
-      ResponseSet.new(:access_code => 'eleven').access_code.should == 'eleven'
+      rs = ResponseSet.new
+      rs.access_code = 'eleven'
+      rs.access_code.should == 'eleven'
     end
 
     # Regression test for #263

spec/models/response_spec.rb

@@ -39,6 +39,14 @@
     response2 = Factory(:response, :question => Factory(:question), :answer => Factory(:answer), :response_set => @response.response_set, :created_at => (@response.created_at + 1))
     Response.all.should == [@response, response2]
   end
+
+  it "should protect api_id, timestamps" do
+    saved_attrs = @response.attributes
+    lambda {@response.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@response.update_attributes(:api_id => "NEW")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @response.attributes.should == saved_attrs
+  end
+
 
   describe "returns the response as the type requested" do
     it "returns 'string'" do

spec/models/survey_section_spec.rb

@@ -16,6 +16,11 @@
     # @survey_section.survey_id = nil
     # @survey_section.should have(1).error_on(:survey)
   end
+  it "should protect timestamps" do
+    saved_attrs = @survey_section.attributes
+    lambda {@survey_section.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @survey_section.attributes.should == saved_attrs
+  end
 end
 
 describe SurveySection, "with questions" do

spec/models/survey_spec.rb

@@ -111,5 +111,14 @@
     @survey.active?.should be_false
     @survey.active_at.should be_nil
   end
-
+
+  it "should protect access_code, api_id, active_at, inactive_at, timestamps" do
+    saved_attrs = @survey.attributes
+    lambda {@survey.update_attributes(:access_code => "NEW")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@survey.update_attributes(:api_id => "AND")}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@survey.update_attributes(:active_at => 2.days.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@survey.update_attributes(:inactive_at => 3.days.from_now)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    lambda {@survey.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @survey.attributes.should == saved_attrs
+  end
 end

spec/models/validation_condition_spec.rb

@@ -49,7 +49,11 @@
     @validation_condition.operator = "#"
     @validation_condition.should have(1).error_on(:operator)
   end
-
+  it "should protect timestamps" do
+    saved_attrs = @validation_condition.attributes
+    lambda {@validation_condition.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @validation_condition.attributes.should == saved_attrs
+  end
 end
 
 describe ValidationCondition, "validating responses" do

spec/models/validation_spec.rb

@@ -30,6 +30,11 @@
     @validation.rule = "a and b"
     @validation.should have(1).error_on(:rule)
   end
+  it "should protect timestamps" do
+    saved_attrs = @validation.attributes
+    lambda {@validation.update_attributes(:created_at => 3.days.ago, :modified_at => 3.hours.ago)}.should raise_error(ActiveModel::MassAssignmentSecurity::Error)
+    @validation.attributes.should == saved_attrs
+  end
 end
 describe Validation, "reporting its status" do
   def test_var(vhash, vchashes, ahash, rhash)