Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Auto protect id and type from mass assignment. Closes #1477.

  • Loading branch information...
commit 16c3748671333165ee30c839898216bfaa7bdab9 1 parent 17f3b00
Durran Jordan durran authored
9 CHANGELOG.md
Source Rendered
@@ -109,6 +109,15 @@ For instructions on upgrading to newer versions, visit
109 109
110 110 Band.find_by(name: "Depeche Mode")
111 111
  112 +* \#1477 Mongoid now automatically protects the id and type attributes
  113 + from mass assignment. You can override this (not recommended) by redefining
  114 + them as accessible.
  115 +
  116 + class Band
  117 + include Mongoid::Document
  118 + attr_accessible :id, :_id, :_type
  119 + end
  120 +
112 121 * \#1459 The identity map can be disabled now for specific code execution
113 122 by passing options to the unit of work.
114 123
2  lib/mongoid/fields.rb
@@ -55,6 +55,8 @@ module Fields
55 55
56 56 alias :id :_id
57 57 alias :id= :_id=
  58 +
  59 + attr_protected :id, :_id, :_type
58 60 end
59 61
60 62 # Apply all default values to the document which are not procs.
5 spec/mongoid/attributes_spec.rb
@@ -629,7 +629,6 @@
629 629
630 630 let!(:attributes) do
631 631 {
632   - :_id => bson_id,
633 632 :title => "value",
634 633 :age => "30",
635 634 :terms => "true",
@@ -656,10 +655,6 @@
656 655 person[:terms].should be_true
657 656 end
658 657
659   - it "casts ids" do
660   - person[:_id].should eq(bson_id)
661   - end
662   -
663 658 it "sets empty strings to nil" do
664 659 person[:score].should be_nil
665 660 end
12 spec/mongoid/criterion/inclusion_spec.rb
@@ -517,15 +517,21 @@
517 517 context "when ids are not object ids" do
518 518
519 519 let!(:jar_one) do
520   - Jar.create(:_id => 114869287646134350)
  520 + Jar.create do |doc|
  521 + doc._id = 114869287646134350
  522 + end
521 523 end
522 524
523 525 let!(:jar_two) do
524   - Jar.create(:_id => 114869287646134388)
  526 + Jar.create do |doc|
  527 + doc._id = 114869287646134388
  528 + end
525 529 end
526 530
527 531 let!(:jar_three) do
528   - Jar.create(:_id => 114869287646134398)
  532 + Jar.create do |doc|
  533 + doc._id = 114869287646134398
  534 + end
529 535 end
530 536
531 537 context "when the documents are found" do
45 spec/mongoid/fields_spec.rb
@@ -856,4 +856,49 @@ def testing=(value)
856 856 person.map_with_default.should eq({ "key" => "testing" })
857 857 end
858 858 end
  859 +
  860 + context "when auto protecting id and type" do
  861 +
  862 + context "when redefining as accessible" do
  863 +
  864 + before do
  865 + Person.attr_accessible :id, :_id, :_type
  866 + end
  867 +
  868 + after do
  869 + Person.attr_protected :id, :_id, :_type
  870 + end
  871 +
  872 + let(:bson_id) do
  873 + BSON::ObjectId.new
  874 + end
  875 +
  876 + it "allows mass assignment of id" do
  877 + Person.new(:_id => bson_id).id.should eq(bson_id)
  878 + end
  879 +
  880 + it "allows mass assignment of type" do
  881 + Person.new(:_type => "Something")._type.should eq("Something")
  882 + end
  883 + end
  884 +
  885 + context "when redefining as protected" do
  886 +
  887 + before do
  888 + Person.attr_protected :id, :_id, :_type
  889 + end
  890 +
  891 + let(:bson_id) do
  892 + BSON::ObjectId.new
  893 + end
  894 +
  895 + it "protects assignment of id" do
  896 + Person.new(:_id => bson_id).id.should_not eq(bson_id)
  897 + end
  898 +
  899 + it "protects assignment of type" do
  900 + Person.new(:_type => "Something")._type.should_not eq("Something")
  901 + end
  902 + end
  903 + end
859 904 end
8 spec/mongoid/finders_spec.rb
@@ -55,7 +55,9 @@
55 55 context "when passed a string" do
56 56
57 57 let!(:person) do
58   - Person.create(:_id => 1)
  58 + Person.create do |doc|
  59 + doc._id = 1
  60 + end
59 61 end
60 62
61 63 let(:from_db) do
@@ -70,7 +72,9 @@
70 72 context "when passed an array of strings" do
71 73
72 74 let!(:person) do
73   - Person.create(:_id => 2)
  75 + Person.create do |doc|
  76 + doc._id = 2
  77 + end
74 78 end
75 79
76 80 let(:from_db) do
6 spec/mongoid/relations/macros_spec.rb
@@ -3,11 +3,7 @@
3 3 describe Mongoid::Relations::Macros do
4 4
5 5 class TestClass
6   - include Mongoid::Relations
7   - include Mongoid::Dirty
8   - include Mongoid::Fields
9   - include Mongoid::Callbacks
10   - include Mongoid::Validations
  6 + include Mongoid::Document
11 7 end
12 8
13 9 let(:klass) do
4 spec/mongoid/relations/referenced/in_spec.rb
@@ -1130,7 +1130,9 @@ class C
1130 1130 context "when creating with a reference to an integer id parent" do
1131 1131
1132 1132 let!(:jar) do
1133   - Jar.create(:_id => 1)
  1133 + Jar.create do |doc|
  1134 + doc._id = 1
  1135 + end
1134 1136 end
1135 1137
1136 1138 let(:cookie) do
12 spec/mongoid/relations/referenced/many_spec.rb
@@ -183,7 +183,9 @@
183 183 end
184 184
185 185 let(:post) do
186   - Post.new(:_id => existing.id)
  186 + Post.new do |doc|
  187 + doc._id = existing.id
  188 + end
187 189 end
188 190
189 191 it "raises an error" do
@@ -1438,7 +1440,9 @@
1438 1440
1439 1441 it "raises an error" do
1440 1442 expect {
1441   - person.posts.safely.create(:_id => existing.id)
  1443 + person.posts.safely.create do |doc|
  1444 + doc._id = existing.id
  1445 + end
1442 1446 }.to raise_error(Mongo::OperationFailure)
1443 1447 end
1444 1448 end
@@ -3056,7 +3060,9 @@
3056 3060 context "when the parent is using integer ids" do
3057 3061
3058 3062 let(:jar) do
3059   - Jar.create(:_id => 1)
  3063 + Jar.create do |doc|
  3064 + doc._id = 1
  3065 + end
3060 3066 end
3061 3067
3062 3068 it "allows creation of the document" do

0 comments on commit 16c3748

Please sign in to comment.
Something went wrong with that request. Please try again.