mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
42 lines
1.1 KiB
Ruby
42 lines
1.1 KiB
Ruby
require 'cases/helper'
|
|
require 'active_support/core_ext/hash/indifferent_access'
|
|
require 'models/account'
|
|
|
|
class ProtectedParams
|
|
attr_accessor :permitted
|
|
alias :permitted? :permitted
|
|
|
|
delegate :keys, :key?, :has_key?, :empty?, to: :@parameters
|
|
|
|
def initialize(attributes)
|
|
@parameters = attributes
|
|
@permitted = false
|
|
end
|
|
|
|
def permit!
|
|
@permitted = true
|
|
self
|
|
end
|
|
|
|
def to_h
|
|
@parameters
|
|
end
|
|
end
|
|
|
|
class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
|
|
test "forbidden attributes cannot be used for mass updating" do
|
|
params = ProtectedParams.new({ "a" => "b" })
|
|
assert_raises(ActiveModel::ForbiddenAttributesError) do
|
|
Account.new.sanitize_for_mass_assignment(params)
|
|
end
|
|
end
|
|
|
|
test "permitted attributes can be used for mass updating" do
|
|
params = ProtectedParams.new({ "a" => "b" }).permit!
|
|
assert_equal({ "a" => "b" }, Account.new.sanitize_for_mass_assignment(params))
|
|
end
|
|
|
|
test "regular attributes should still be allowed" do
|
|
assert_equal({ a: "b" }, Account.new.sanitize_for_mass_assignment(a: "b"))
|
|
end
|
|
end
|