Raise an exception if both attr_protected and attr_accessible are declared. Closes #8507, #6004.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6896 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2026-01-31 01:08:19 -05:00 · 2007-05-29 20:35:46 +00:00
parent 32b307bc32
commit af98d883b9
3 changed files with 16 additions and 0 deletions
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*

+* Raise an exception if both attr_protected and attr_accessible are declared.  #8507 [stellsmi]
+
 * SQLite, MySQL, PostgreSQL, Oracle: quote column names in column migration SQL statements.  #8466 [marclove, lorenjohnson]

 * Allow nil serialized attributes with a set class constraint.  #7293 [sandofsky]
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -2164,6 +2164,8 @@ module ActiveRecord #:nodoc:
          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
        elsif self.class.accessible_attributes.nil?
          attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+        else
+          raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
        end
      end

--- a/activerecord/test/base_test.rb
+++ b/activerecord/test/base_test.rb
@@ -53,6 +53,12 @@ class Task < ActiveRecord::Base
  attr_protected :starting
 end

+class TopicWithProtectedContentAndAccessibleAuthorName < ActiveRecord::Base 
+  self.table_name = 'topics' 
+  attr_accessible :author_name
+  attr_protected  :content
+end
+
 class BasicsTest < Test::Unit::TestCase
  fixtures :topics, :companies, :developers, :projects, :computers, :accounts

@@ -771,6 +777,12 @@ class BasicsTest < Test::Unit::TestCase
    assert_raise(ActiveRecord::RecordInvalid) { reply.update_attributes!(:title => nil, :content => "Have a nice evening") }
  end
  
+  def test_mass_assignment_should_raise_exception_if_accessible_and_protected_attribute_writers_are_both_used
+    topic = TopicWithProtectedContentAndAccessibleAuthorName.new
+    assert_raises(RuntimeError) { topic.attributes = { "author_name" => "me" } }
+    assert_raises(RuntimeError) { topic.attributes = { "content" => "stuff" } }
+  end
+  
  def test_mass_assignment_protection
    firm = Firm.new
    firm.attributes = { "name" => "Next Angle", "rating" => 5 }