2016-08-06 12:38:23 -04:00
|
|
|
require "cases/helper"
|
|
|
|
require "active_support/core_ext/hash/indifferent_access"
|
|
|
|
require "models/account"
|
2012-07-13 04:51:13 -04:00
|
|
|
|
2015-07-23 09:49:03 -04:00
|
|
|
class ProtectedParams
|
2012-07-18 02:37:03 -04:00
|
|
|
attr_accessor :permitted
|
|
|
|
alias :permitted? :permitted
|
|
|
|
|
2015-07-23 09:49:03 -04:00
|
|
|
delegate :keys, :key?, :has_key?, :empty?, to: :@parameters
|
|
|
|
|
2012-07-18 02:37:03 -04:00
|
|
|
def initialize(attributes)
|
2015-07-23 09:49:03 -04:00
|
|
|
@parameters = attributes
|
2012-07-18 02:37:03 -04:00
|
|
|
@permitted = false
|
|
|
|
end
|
|
|
|
|
|
|
|
def permit!
|
|
|
|
@permitted = true
|
|
|
|
self
|
|
|
|
end
|
2015-07-23 09:49:03 -04:00
|
|
|
|
|
|
|
def to_h
|
|
|
|
@parameters
|
|
|
|
end
|
2012-07-18 02:37:03 -04:00
|
|
|
end
|
|
|
|
|
2012-07-13 04:51:13 -04:00
|
|
|
class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
|
|
|
|
test "forbidden attributes cannot be used for mass updating" do
|
2016-08-06 13:44:11 -04:00
|
|
|
params = ProtectedParams.new("a" => "b")
|
2012-08-13 01:41:04 -04:00
|
|
|
assert_raises(ActiveModel::ForbiddenAttributesError) do
|
2012-07-17 01:59:31 -04:00
|
|
|
Account.new.sanitize_for_mass_assignment(params)
|
2012-07-13 04:51:13 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
test "permitted attributes can be used for mass updating" do
|
2016-08-06 13:44:11 -04:00
|
|
|
params = ProtectedParams.new("a" => "b").permit!
|
2012-08-29 10:54:27 -04:00
|
|
|
assert_equal({ "a" => "b" }, Account.new.sanitize_for_mass_assignment(params))
|
2012-07-13 04:51:13 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
test "regular attributes should still be allowed" do
|
2016-08-06 13:55:02 -04:00
|
|
|
assert_equal({ a: "b" }, Account.new.sanitize_for_mass_assignment(a: "b"))
|
2012-07-13 04:51:13 -04:00
|
|
|
end
|
|
|
|
end
|