Skip to content
This repository
Browse code

added failing tests for has_many, has_one and belongs_to associations…

… with strict mass assignment sanitizer, fixed build_record to not merge creation_attributes, removed failing nested attributes tests (that feature was broken anyway) #4051

Signed-off-by: José Valim <jose.valim@gmail.com>
  • Loading branch information...
commit 2d07c60b684a7082fa5dc052c9f965adcda1cb75 1 parent 108e344
Kuba Kuźma authored December 21, 2011 josevalim committed December 21, 2011
7  activerecord/lib/active_record/associations/association.rb
@@ -230,13 +230,8 @@ def association_class
230 230
         end
231 231
 
232 232
         def build_record(attributes, options)
233  
-          attributes = (attributes || {}).reverse_merge(creation_attributes)
234  
-
235 233
           reflection.build_association(attributes, options) do |record|
236  
-            record.assign_attributes(
237  
-              create_scope.except(*record.changed),
238  
-              :without_protection => true
239  
-            )
  234
+            record.assign_attributes(create_scope.except(*record.changed), :without_protection => true)
240 235
           end
241 236
         end
242 237
     end
63  activerecord/test/cases/mass_assignment_security_test.rb
@@ -50,6 +50,13 @@ def assert_all_attributes(person)
50 50
     assert_equal 'm',    person.gender
51 51
     assert_equal 'rides a sweet bike', person.comments
52 52
   end
  53
+
  54
+  def with_strict_sanitizer
  55
+    ActiveRecord::Base.mass_assignment_sanitizer = :strict
  56
+    yield
  57
+  ensure
  58
+    ActiveRecord::Base.mass_assignment_sanitizer = :logger
  59
+  end
53 60
 end
54 61
 
55 62
 module MassAssignmentRelationTestHelpers
@@ -323,6 +330,13 @@ def test_has_one_build_without_protection
323 330
     assert_all_attributes(best_friend)
324 331
   end
325 332
 
  333
+  def test_has_one_build_with_strict_sanitizer
  334
+    with_strict_sanitizer do
  335
+      best_friend = @person.build_best_friend(attributes_hash.except(:id, :comments))
  336
+      assert_equal @person.id, best_friend.best_friend_id
  337
+    end
  338
+  end
  339
+
326 340
   # create
327 341
 
328 342
   def test_has_one_create_with_attr_protected_attributes
@@ -350,6 +364,13 @@ def test_has_one_create_without_protection
350 364
     assert_all_attributes(best_friend)
351 365
   end
352 366
 
  367
+  def test_has_one_create_with_strict_sanitizer
  368
+    with_strict_sanitizer do
  369
+      best_friend = @person.create_best_friend(attributes_hash.except(:id, :comments))
  370
+      assert_equal @person.id, best_friend.best_friend_id
  371
+    end
  372
+  end
  373
+
353 374
   # create!
354 375
 
355 376
   def test_has_one_create_with_bang_with_attr_protected_attributes
@@ -377,6 +398,13 @@ def test_has_one_create_with_bang_without_protection
377 398
     assert_all_attributes(best_friend)
378 399
   end
379 400
 
  401
+  def test_has_one_create_with_bang_with_strict_sanitizer
  402
+    with_strict_sanitizer do
  403
+      best_friend = @person.create_best_friend!(attributes_hash.except(:id, :comments))
  404
+      assert_equal @person.id, best_friend.best_friend_id
  405
+    end
  406
+  end
  407
+
380 408
 end
381 409
 
382 410
 
@@ -438,6 +466,13 @@ def test_belongs_to_create_without_protection
438 466
     assert_all_attributes(best_friend)
439 467
   end
440 468
 
  469
+  def test_belongs_to_create_with_strict_sanitizer
  470
+    with_strict_sanitizer do
  471
+      best_friend = @person.create_best_friend_of(attributes_hash.except(:id, :comments))
  472
+      assert_equal best_friend.id, @person.best_friend_of_id
  473
+    end
  474
+  end
  475
+
441 476
   # create!
442 477
 
443 478
   def test_belongs_to_create_with_bang_with_attr_protected_attributes
@@ -465,6 +500,13 @@ def test_belongs_to_create_with_bang_without_protection
465 500
     assert_all_attributes(best_friend)
466 501
   end
467 502
 
  503
+  def test_belongs_to_create_with_bang_with_strict_sanitizer
  504
+    with_strict_sanitizer do
  505
+      best_friend = @person.create_best_friend_of!(attributes_hash.except(:id, :comments))
  506
+      assert_equal best_friend.id, @person.best_friend_of_id
  507
+    end
  508
+  end
  509
+
468 510
 end
469 511
 
470 512
 
@@ -499,6 +541,13 @@ def test_has_many_build_without_protection
499 541
     assert_all_attributes(best_friend)
500 542
   end
501 543
 
  544
+  def test_has_many_build_with_strict_sanitizer
  545
+    with_strict_sanitizer do
  546
+      best_friend = @person.best_friends.build(attributes_hash.except(:id, :comments))
  547
+      assert_equal @person.id, best_friend.best_friend_id
  548
+    end
  549
+  end
  550
+
502 551
   # create
503 552
 
504 553
   def test_has_many_create_with_attr_protected_attributes
@@ -526,6 +575,13 @@ def test_has_many_create_without_protection
526 575
     assert_all_attributes(best_friend)
527 576
   end
528 577
 
  578
+  def test_has_many_create_with_strict_sanitizer
  579
+    with_strict_sanitizer do
  580
+      best_friend = @person.best_friends.create(attributes_hash.except(:id, :comments))
  581
+      assert_equal @person.id, best_friend.best_friend_id
  582
+    end
  583
+  end
  584
+
529 585
   # create!
530 586
 
531 587
   def test_has_many_create_with_bang_with_attr_protected_attributes
@@ -553,6 +609,13 @@ def test_has_many_create_with_bang_without_protection
553 609
     assert_all_attributes(best_friend)
554 610
   end
555 611
 
  612
+  def test_has_many_create_with_bang_with_strict_sanitizer
  613
+    with_strict_sanitizer do
  614
+      best_friend = @person.best_friends.create!(attributes_hash.except(:id, :comments))
  615
+      assert_equal @person.id, best_friend.best_friend_id
  616
+    end
  617
+  end
  618
+
556 619
 end
557 620
 
558 621
 
5  activerecord/test/cases/nested_attributes_test.rb
@@ -617,11 +617,6 @@ def test_should_take_a_hash_with_composite_id_keys_and_assign_the_attributes_to_
617 617
     assert_equal ['Grace OMalley', 'Privateers Greed'], [@child_1.name, @child_2.name]
618 618
   end
619 619
 
620  
-  def test_should_take_a_hash_with_owner_attributes_and_assign_the_attributes_to_the_associated_model
621  
-    @pirate.birds.create :name => 'bird', :pirate_attributes => {:id => @pirate.id.to_s, :catchphrase => 'Holla!'}
622  
-    assert_equal 'Holla!', @pirate.reload.catchphrase
623  
-  end
624  
-
625 620
   def test_should_raise_RecordNotFound_if_an_id_is_given_but_doesnt_return_a_record
626 621
     assert_raise_with_message ActiveRecord::RecordNotFound, "Couldn't find #{@child_1.class.name} with ID=1234567890 for Pirate with ID=#{@pirate.id}" do
627 622
       @pirate.attributes = { association_getter => [{ :id => 1234567890 }] }
4  activerecord/test/models/person.rb
@@ -54,7 +54,7 @@ class LoosePerson < ActiveRecord::Base
54 54
   self.table_name = 'people'
55 55
   self.abstract_class = true
56 56
 
57  
-  attr_protected :comments
  57
+  attr_protected :comments, :best_friend_id, :best_friend_of_id
58 58
   attr_protected :as => :admin
59 59
 
60 60
   has_one    :best_friend,    :class_name => 'LoosePerson', :foreign_key => :best_friend_id
@@ -81,4 +81,4 @@ class TightPerson < ActiveRecord::Base
81 81
   accepts_nested_attributes_for :best_friend, :best_friend_of, :best_friends
82 82
 end
83 83
 
84  
-class TightDescendant < TightPerson; end
  84
+class TightDescendant < TightPerson; end

0 notes on commit 2d07c60

Please sign in to comment.
Something went wrong with that request. Please try again.