File: forbidden_attributes_protection_test.rb

package info (click to toggle)
rails 2%3A5.2.2.1%2Bdfsg-1%2Bdeb10u3
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 33,200 kB
  • sloc: ruby: 235,858; javascript: 20,695; yacc: 46; sql: 43; makefile: 22; sh: 14
file content (166 lines) | stat: -rw-r--r-- 4,640 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
 
# frozen_string_literal: true

require "cases/helper"
require "active_support/core_ext/hash/indifferent_access"

require "models/company"
require "models/person"
require "models/ship"
require "models/ship_part"
require "models/treasure"

class ProtectedParams
  attr_accessor :permitted
  alias :permitted? :permitted

  delegate :keys, :key?, :has_key?, :empty?, to: :@parameters

  def initialize(attributes)
    @parameters = attributes.with_indifferent_access
    @permitted = false
  end

  def permit!
    @permitted = true
    self
  end

  def [](key)
    @parameters[key]
  end

  def to_h
    @parameters
  end

  def stringify_keys
    dup
  end

  def dup
    super.tap do |duplicate|
      duplicate.instance_variable_set :@permitted, @permitted
    end
  end
end

class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
  def test_forbidden_attributes_cannot_be_used_for_mass_assignment
    params = ProtectedParams.new(first_name: "Guille", gender: "m")
    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.new(params)
    end
  end

  def test_permitted_attributes_can_be_used_for_mass_assignment
    params = ProtectedParams.new(first_name: "Guille", gender: "m")
    params.permit!
    person = Person.new(params)

    assert_equal "Guille", person.first_name
    assert_equal "m", person.gender
  end

  def test_forbidden_attributes_cannot_be_used_for_sti_inheritance_column
    params = ProtectedParams.new(type: "Client")
    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Company.new(params)
    end
  end

  def test_permitted_attributes_can_be_used_for_sti_inheritance_column
    params = ProtectedParams.new(type: "Client")
    params.permit!
    person = Company.new(params)
    assert_equal person.class, Client
  end

  def test_regular_hash_should_still_be_used_for_mass_assignment
    person = Person.new(first_name: "Guille", gender: "m")

    assert_equal "Guille", person.first_name
    assert_equal "m", person.gender
  end

  def test_blank_attributes_should_not_raise
    person = Person.new
    assert_nil person.assign_attributes(ProtectedParams.new({}))
  end

  def test_create_with_checks_permitted
    params = ProtectedParams.new(first_name: "Guille", gender: "m")

    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.create_with(params).create!
    end
  end

  def test_create_with_works_with_permitted_params
    params = ProtectedParams.new(first_name: "Guille").permit!

    person = Person.create_with(params).create!
    assert_equal "Guille", person.first_name
  end

  def test_create_with_works_with_params_values
    params = ProtectedParams.new(first_name: "Guille")

    person = Person.create_with(first_name: params[:first_name]).create!
    assert_equal "Guille", person.first_name
  end

  def test_where_checks_permitted
    params = ProtectedParams.new(first_name: "Guille", gender: "m")

    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.where(params).create!
    end
  end

  def test_where_works_with_permitted_params
    params = ProtectedParams.new(first_name: "Guille").permit!

    person = Person.where(params).create!
    assert_equal "Guille", person.first_name
  end

  def test_where_works_with_params_values
    params = ProtectedParams.new(first_name: "Guille")

    person = Person.where(first_name: params[:first_name]).create!
    assert_equal "Guille", person.first_name
  end

  def test_where_not_checks_permitted
    params = ProtectedParams.new(first_name: "Guille", gender: "m")

    assert_raises(ActiveModel::ForbiddenAttributesError) do
      Person.where().not(params)
    end
  end

  def test_where_not_works_with_permitted_params
    params = ProtectedParams.new(first_name: "Guille").permit!
    Person.create!(params)
    assert_empty Person.where.not(params).select { |p| p.first_name == "Guille" }
  end

  def test_strong_params_style_objects_work_with_singular_associations
    params = ProtectedParams.new(name: "Stern", ship_attributes: ProtectedParams.new(name: "The Black Rock").permit!).permit!
    part = ShipPart.new(params)

    assert_equal "Stern", part.name
    assert_equal "The Black Rock", part.ship.name
  end

  def test_strong_params_style_objects_work_with_collection_associations
    params = ProtectedParams.new(
      trinkets_attributes: ProtectedParams.new(
        "0" => ProtectedParams.new(name: "Necklace").permit!,
        "1" => ProtectedParams.new(name: "Spoon").permit!)).permit!
    part = ShipPart.new(params)

    assert_equal "Necklace", part.trinkets[0].name
    assert_equal "Spoon", part.trinkets[1].name
  end
end