Permalink
Browse files

Add tests for ForbiddenAttributesProtection in ActiveRecord

  • Loading branch information...
1 parent 8020f71 commit 0168c7a394e1f9a0462a8fc442e3cc3b205bd6ae @guilleiguaran guilleiguaran committed Jul 18, 2012
Showing with 63 additions and 0 deletions.
  1. +63 −0 activerecord/test/cases/forbidden_attributes_protection_test.rb
@@ -0,0 +1,63 @@
+require 'cases/helper'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'models/person'
+
+class ProtectedParams < ActiveSupport::HashWithIndifferentAccess
+ attr_accessor :permitted
+ alias :permitted? :permitted
+
+ def initialize(attributes)
+ super(attributes)
+ @permitted = false
+ end
+
+ def permit!
+ @permitted = true
+ self
+ end
+
+ def dup
+ super.tap do |duplicate|
+ duplicate.instance_variable_set :@permitted, @permitted
+ end
+ end
+end
+
+class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
+ def test_forbidden_attributes_cannot_be_used_for_mass_assignment
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+ assert_raises(ActiveModel::ForbiddenAttributes) do
+ Person.new(params)
+ end
+ end
+
+ def test_permitted_attributes_can_be_used_for_mass_assignment
+ params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+ params.permit!
+ assert_nothing_raised do
+ person = Person.new(params)
+
+ assert_equal 'Guille', person.first_name
+ assert_equal 'm', person.gender
+ end
+ end
+
+ def test_regular_hash_should_still_be_used_for_mass_assignment
+ assert_nothing_raised do
+ person = Person.new(first_name: 'Guille', gender: 'm')
+
+ assert_equal 'Guille', person.first_name
+ assert_equal 'm', person.gender
+ end
+ end
+
+ def test_protected_attributes_cannot_be_used_for_mass_assignment
+ params = ProtectedParams.new(id: 1, first_name: 'Guille', gender: 'm')
+ params.permit!
+ person = Person.new(params)
+
+ assert_equal 'Guille', person.first_name
+ assert_equal 'm', person.gender
+ assert_not_equal 1, person.id
+ end
+end

0 comments on commit 0168c7a

Please sign in to comment.