Turn on mass assignment protection

Require any attribute that is going to be mass assigned to be whitelisted, and whitelist those attributes which need it
2012-03-05 16:31:11 +00:00 · 2012-03-05 16:31:11 +00:00 · 1340fca8f1
commit 1340fca8f1
parent 7d8cf94680
19 changed files with 74 additions and 35 deletions
--- a/test/unit/diary_entry_test.rb
+++ b/test/unit/diary_entry_test.rb
@ -25,8 +25,8 @@ class DiaryEntryTest < ActiveSupport::TestCase
  end
  
  def diary_entry_valid(attrs, result = true)
-    entry = DiaryEntry.new(diary_entries(:normal_user_entry_1).attributes)
-    entry.attributes = attrs
+    entry = DiaryEntry.new(diary_entries(:normal_user_entry_1).attributes, :without_protection => true)
+    entry.assign_attributes(attrs, :without_protection => true)
    assert_equal result, entry.valid?, "Expected #{attrs.inspect} to be #{result}"
  end  
 end
--- a/test/unit/node_test.rb
+++ b/test/unit/node_test.rb
@ -77,11 +77,13 @@ class NodeTest < ActiveSupport::TestCase
  
  # Check that you can create a node and store it
  def test_create
-    node_template = Node.new(:latitude => 12.3456,
-                             :longitude => 65.4321,
-                             :changeset_id => changesets(:normal_user_first_change).id,
-                             :visible => 1, 
-                             :version => 1)
+    node_template = Node.new({
+      :latitude => 12.3456,
+      :longitude => 65.4321,
+      :changeset_id => changesets(:normal_user_first_change).id,
+      :visible => 1, 
+      :version => 1
+    }, :without_protection => true)
    assert node_template.create_with_history(users(:normal_user))

    node = Node.find(node_template.id)
--- a/test/unit/oauth_token_test.rb
+++ b/test/unit/oauth_token_test.rb
@ -15,7 +15,9 @@ class OauthTokenTest < ActiveSupport::TestCase
  ##
  # check that an authorized token is authorised and can be invalidated
  def test_token_authorisation
-    tok = RequestToken.create :client_application => client_applications(:oauth_web_app)
+    tok = RequestToken.create({
+      :client_application => client_applications(:oauth_web_app)
+    }, :without_protection => true)
    assert_equal false, tok.authorized?, "Token should be created unauthorised."
    tok.authorize!(users(:public_user))
    assert_equal true, tok.authorized?, "Token should now be authorised."
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@ -18,23 +18,27 @@ class UserTest < ActiveSupport::TestCase
  end
  
  def test_unique_email
-    new_user = User.new(:email => users(:normal_user).email,
+    new_user = User.new({
+      :email => users(:normal_user).email,
      :status => "active", 
      :pass_crypt => Digest::MD5.hexdigest('test'),
      :display_name => "new user",
      :data_public => 1,
-      :description => "desc")
+      :description => "desc"
+    }, :without_protection => true)
    assert !new_user.save
    assert new_user.errors[:email].include?("has already been taken")
  end
  
  def test_unique_display_name
-    new_user = User.new(:email => "tester@openstreetmap.org",
+    new_user = User.new({
+      :email => "tester@openstreetmap.org",
      :status => "pending",
      :pass_crypt => Digest::MD5.hexdigest('test'),
      :display_name => users(:normal_user).display_name, 
      :data_public => 1,
-      :description => "desc")
+      :description => "desc"
+    }, :without_protection => true)
    assert !new_user.save
    assert new_user.errors[:display_name].include?("has already been taken")
  end