Permalink
Browse files

security fix: protect from mass assignment

  • Loading branch information...
1 parent 1439aaa commit f4c1921c39ffc15f61657015fcda71f32aaaa4fd @martinbtt martinbtt committed Oct 8, 2008
Showing with 16 additions and 0 deletions.
  1. +2 −0 app/models/comment.rb
  2. +14 −0 test/unit/comment_test.rb
View
@@ -5,6 +5,8 @@ class Comment < ActiveRecord::Base
before_save :auto_approve
before_save :apply_filter
+ attr_accessible :author, :author_email, :author_url, :filter_id, :content
+
def self.per_page
50
end
View
@@ -35,4 +35,18 @@ def test_download_csv_routes
{:controller => "admin/comments", :action => "index", :format => 'csv', :page_id => "6"}
end
+ def test_not_allowing_update_of_protected_attribs
+ @comment = Comment.create(
+ :author => "Evil Approve",
+ :author_email => "foo@bar.com",
+ :author_url => "http://www.test.com/",
+ :content => "Comment approved?",
+ :approved_at => Time.now,
+ :approved_by => 1
+ );
+ @comment = Comment.find_by_author('Evil Approve')
+ assert_nil(@comment.approved_at)
+ assert_nil(@comment.approved_by)
+ end
+
end

0 comments on commit f4c1921

Please sign in to comment.