Browse files

Fix #5069 - Protect foreign key from mass assignment throught associa…

…tion builder
  • Loading branch information...
1 parent ebc5a19 commit e1a882a15b71435ec82a596978429b34d4c73ac5 @byroot byroot committed with tenderlove Mar 4, 2012
View
3 activerecord/lib/active_record/associations/association.rb
@@ -231,7 +231,8 @@ def association_class
def build_record(attributes, options)
reflection.build_association(attributes, options) do |record|
- record.assign_attributes(create_scope.except(*record.changed), :without_protection => true)
+ attributes = create_scope.except(*(record.changed - [reflection.foreign_key]))
+ record.assign_attributes(attributes, :without_protection => true)
end
end
end
View
22 activerecord/test/cases/associations/has_many_associations_test.rb
@@ -130,6 +130,28 @@ def test_association_keys_bypass_attribute_protection
assert_equal car.id, bulb.car_id
end
+ def test_association_protect_foreign_key
+ invoice = Invoice.create
+
+ line_item = invoice.line_items.new
+ assert_equal invoice.id, line_item.invoice_id
+
+ line_item = invoice.line_items.new :invoice_id => invoice.id + 1
+ assert_equal invoice.id, line_item.invoice_id
+
+ line_item = invoice.line_items.build
+ assert_equal invoice.id, line_item.invoice_id
+
+ line_item = invoice.line_items.build :invoice_id => invoice.id + 1
+ assert_equal invoice.id, line_item.invoice_id
+
+ line_item = invoice.line_items.create
+ assert_equal invoice.id, line_item.invoice_id
+
+ line_item = invoice.line_items.create :invoice_id => invoice.id + 1
+ assert_equal invoice.id, line_item.invoice_id
+ end
+
def test_association_conditions_bypass_attribute_protection
car = Car.create(:name => 'honda')
View
16 activerecord/test/cases/associations/has_one_associations_test.rb
@@ -397,6 +397,22 @@ def test_association_keys_bypass_attribute_protection
assert_equal car.id, bulb.car_id
end
+ def test_association_protect_foreign_key
+ pirate = Pirate.create!(:catchphrase => "Don' botharrr talkin' like one, savvy?")
+
+ ship = pirate.build_ship
+ assert_equal pirate.id, ship.pirate_id
+
+ ship = pirate.build_ship :pirate_id => pirate.id + 1
+ assert_equal pirate.id, ship.pirate_id
+
+ ship = pirate.create_ship
+ assert_equal pirate.id, ship.pirate_id
+
+ ship = pirate.create_ship :pirate_id => pirate.id + 1
+ assert_equal pirate.id, ship.pirate_id
+ end
+
def test_association_conditions_bypass_attribute_protection
car = Car.create(:name => 'honda')

0 comments on commit e1a882a

Please sign in to comment.