Added mass-assignment protection for the inheritance column -- regard…

…less of a custom column is used or not git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@477 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
jfirebaugh · Jan 23, 2005 · 95454bf · 95454bf
1 parent 97849de
commit 95454bf
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Added mass-assignment protection for the inheritance column -- regardless of a custom column is used or not
+
 * Fixed that association proxies would fail === tests like PremiumSubscription === @account.subscription
 
 * Fixed that column aliases didn't work as expected with the new MySql411 driver #507 [Demetrius]

diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
@@ -1098,14 +1098,19 @@ def query_attribute(attr_name)
 
       def remove_attributes_protected_from_mass_assignment(attributes)
         if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
-          attributes.reject { |key, value| key == self.class.primary_key }
+          attributes.reject { |key, value| attributes_protected_by_default.include?(key) }
         elsif self.class.protected_attributes.nil?
-          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || key == self.class.primary_key }
+          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
         elsif self.class.accessible_attributes.nil?
-          attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || key == self.class.primary_key }
+          attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
         end
       end
 
+      # The primary key and inheritance column can never be set by mass-assignment for security reasons.
+      def attributes_protected_by_default
+        [ self.class.primary_key, self.class.inheritance_column ]
+      end
+
       # Returns copy of the attributes hash where all the values have been safely quoted for use in
       # an SQL statement. 
       def attributes_with_quotes(include_primary_key = true)

diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb
@@ -383,6 +383,13 @@ def test_mass_assignment_protection
     assert_equal 1, firm.rating
   end
 
+  def test_mass_assignment_protection_on_defaults
+    firm = Firm.new
+    firm.attributes = { "id" => 5, "type" => "Client" }
+    assert_nil firm.id
+    assert_equal "Firm", firm[:type]
+  end
+
   def test_mass_assignment_accessible
     reply = Reply.new("title" => "hello", "content" => "world", "approved" => 0)
     reply.save