Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Raise an exception if both attr_protected and attr_accessible are dec…

…lared. Closes #8507, #6004.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6896 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit af98d883b91aad78cd8183f8abbdf27bd740ff66 1 parent 32b307b
@jeremy jeremy authored
View
2  activerecord/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Raise an exception if both attr_protected and attr_accessible are declared. #8507 [stellsmi]
+
* SQLite, MySQL, PostgreSQL, Oracle: quote column names in column migration SQL statements. #8466 [marclove, lorenjohnson]
* Allow nil serialized attributes with a set class constraint. #7293 [sandofsky]
View
2  activerecord/lib/active_record/base.rb
@@ -2164,6 +2164,8 @@ def remove_attributes_protected_from_mass_assignment(attributes)
attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
elsif self.class.accessible_attributes.nil?
attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ else
+ raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
end
end
View
12 activerecord/test/base_test.rb
@@ -53,6 +53,12 @@ class Task < ActiveRecord::Base
attr_protected :starting
end
+class TopicWithProtectedContentAndAccessibleAuthorName < ActiveRecord::Base
+ self.table_name = 'topics'
+ attr_accessible :author_name
+ attr_protected :content
+end
+
class BasicsTest < Test::Unit::TestCase
fixtures :topics, :companies, :developers, :projects, :computers, :accounts
@@ -771,6 +777,12 @@ def test_update_attributes!
assert_raise(ActiveRecord::RecordInvalid) { reply.update_attributes!(:title => nil, :content => "Have a nice evening") }
end
+ def test_mass_assignment_should_raise_exception_if_accessible_and_protected_attribute_writers_are_both_used
+ topic = TopicWithProtectedContentAndAccessibleAuthorName.new
+ assert_raises(RuntimeError) { topic.attributes = { "author_name" => "me" } }
+ assert_raises(RuntimeError) { topic.attributes = { "content" => "stuff" } }
+ end
+
def test_mass_assignment_protection
firm = Firm.new
firm.attributes = { "name" => "Next Angle", "rating" => 5 }
Please sign in to comment.
Something went wrong with that request. Please try again.