Fixed that multiparameter posts ignored attr_protected #1532 [alec+ra…

…ils@veryclever.net] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@1550 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
rails · Jun 28, 2005 · c92ecb8 · c92ecb8
1 parent d763f08
commit c92ecb8
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed that multiparameter posts ignored attr_protected #1532 [alec+rails@veryclever.net]
+
 * Fixed problem with eager loading when using a has_and_belongs_to_many association using :association_foreign_key #1504 [flash@vanklinkenbergsoftware.nl]
 
 * Fixed Base#find to honor the documentation on how :joins work and make them consistent with Base#count #1405 [pritchie@gmail.com]. What used to be:

diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
@@ -1279,11 +1279,11 @@ def query_attribute(attr_name)
 
       def remove_attributes_protected_from_mass_assignment(attributes)
         if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
-          attributes.reject { |key, value| attributes_protected_by_default.include?(key) }
+          attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
         elsif self.class.protected_attributes.nil?
-          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
+          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
         elsif self.class.accessible_attributes.nil?
-          attributes.reject { |key, value| self.class.protected_attributes.include?(key.intern) || attributes_protected_by_default.include?(key) }
+          attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
         end
       end
 

diff --git a/activerecord/test/base_test.rb b/activerecord/test/base_test.rb
@@ -33,6 +33,10 @@ class TightDescendant < TightPerson
 
 class Booleantest < ActiveRecord::Base; end
 
+class Task < ActiveRecord::Base
+  attr_protected :starting
+end
+
 class BasicsTest < Test::Unit::TestCase
   fixtures :topics, :companies, :developers, :projects, :computers
 
@@ -542,6 +546,15 @@ def test_multiparameter_attributes_on_time_with_empty_seconds
     assert_equal Time.local(2004, 6, 24, 16, 24, 0), topic.written_on
   end
 
+  def test_multiparameter_mass_assignment_protector
+    task = Task.new
+    time = Time.mktime(0)
+    task.starting = time 
+    attributes = { "starting(1i)" => "2004", "starting(2i)" => "6", "starting(3i)" => "24" }
+    task.attributes = attributes
+    assert_equal time, task.starting
+  end
+
   def test_attributes_on_dummy_time
     # Oracle does not have a TIME datatype.
     if ActiveRecord::ConnectionAdapters.const_defined? :OracleAdapter