1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
require_relative "spec_helper"
describe Sequel::Model, "#(set|update)_except" do
before do
@c = Class.new(Sequel::Model(:items))
@c.class_eval do
plugin :blacklist_security
set_primary_key :id
columns :x, :y, :z, :id
set_restricted_columns :y
end
@c.strict_param_setting = false
@o1 = @c.new
DB.reset
end
it "should raise errors if not all hash fields can be set and strict_param_setting is true" do
@c.strict_param_setting = true
proc{@c.new.set_except({:x => 1, :y => 2, :z=>3, :id=>4}, :x, :y)}.must_raise(Sequel::MassAssignmentRestriction)
proc{@c.new.set_except({:x => 1, :y => 2, :z=>3}, :x, :y)}.must_raise(Sequel::MassAssignmentRestriction)
(o = @c.new).set_except({:z => 3}, :x, :y)
o.values.must_equal(:z=>3)
end
it "#set_except should not set given attributes or the primary key" do
@o1.set_except({:x => 1, :y => 2, :z=>3, :id=>4}, [:y, :z])
@o1.values.must_equal(:x => 1)
@o1.set_except({:x => 4, :y => 2, :z=>3, :id=>4}, :y, :z)
@o1.values.must_equal(:x => 4)
end
it "#update_except should not update given attributes" do
@o1.update_except({:x => 1, :y => 2, :z=>3, :id=>4}, [:y, :z])
DB.sqls.must_equal ["INSERT INTO items (x) VALUES (1)", "SELECT * FROM items WHERE id = 10"]
@c.new.update_except({:x => 1, :y => 2, :z=>3, :id=>4}, :y, :z)
DB.sqls.must_equal ["INSERT INTO items (x) VALUES (1)", "SELECT * FROM items WHERE id = 10"]
end
end
describe Sequel::Model, ".restricted_columns " do
before do
@c = Class.new(Sequel::Model(:blahblah))
@c.class_eval do
plugin :blacklist_security
columns :x, :y, :z
end
@c.strict_param_setting = false
@c.instance_variable_set(:@columns, [:x, :y, :z])
DB.sqls
end
it "should set the restricted columns correctly" do
@c.restricted_columns.must_be_nil
@c.set_restricted_columns :x
@c.restricted_columns.must_equal [:x]
@c.set_restricted_columns :x, :y
@c.restricted_columns.must_equal [:x, :y]
end
it "should not set restricted columns by default" do
@c.set_restricted_columns :z
i = @c.new(:x => 1, :y => 2, :z => 3)
i.values.must_equal(:x => 1, :y => 2)
i.set(:x => 4, :y => 5, :z => 6)
i.values.must_equal(:x => 4, :y => 5)
@c.dataset = @c.dataset.with_fetch(:x => 7)
i = @c.new
i.update(:x => 7, :z => 9)
i.values.must_equal(:x => 7)
DB.sqls.must_equal ["INSERT INTO blahblah (x) VALUES (7)", "SELECT * FROM blahblah WHERE id = 10"]
end
it "should not set restricted primary keys when restricting columns unless primary key setting is restricted" do
@c.set_restricted_columns :z
i = @c.new(:id => 10, :x => 1, :y => 2, :z => 3)
i.values.must_equal(:x => 1, :y => 2)
i.set(:id => 10, :x => 4, :y => 5, :z => 6)
i.values.must_equal(:x => 4, :y => 5)
i.set_except({:id => 10, :x => 4, :y => 5, :z => 6}, [:z])
i.values.must_equal(:x => 4, :y => 5)
@c.dataset = @c.dataset.with_fetch(:x => 7)
i = @c.new
i.update(:id => 10, :x => 7, :z => 9)
i.values.must_equal(:x => 7)
DB.sqls.must_equal ["INSERT INTO blahblah (x) VALUES (7)", "SELECT * FROM blahblah WHERE id = 10"]
end
it "should set unrestricted primary keys when restricting columns if primary key setting is unrestricted" do
@c.unrestrict_primary_key
@c.set_restricted_columns :z
i = @c.new(:id => 10, :x => 1, :y => 2, :z => 3)
i.values.must_equal(:id => 10, :x => 1, :y => 2)
i.set(:id => 10, :x => 4, :y => 5, :z => 6)
i.values.must_equal(:id => 10, :x => 4, :y => 5)
i.set_except({:id => 10, :x => 4, :y => 5, :z => 6}, [:z])
i.values.must_equal(:id => 10, :x => 4, :y => 5)
@c.dataset = @c.dataset.with_fetch(:id => 10, :x => 7)
i = @c.new
i.update(:id => 10, :x => 7, :z => 9)
i.values.must_equal(:id => 10, :x => 7)
DB.sqls.must_equal ["INSERT INTO blahblah (id, x) VALUES (10, 7)", "SELECT * FROM blahblah WHERE id = 10"]
end
it "should have allowed take precedence over restricted" do
@c.plugin :whitelist_security
@c.set_allowed_columns :x, :y
@c.set_restricted_columns :y, :z
i = @c.new(:x => 1, :y => 2, :z => 3)
i.values.must_equal(:x => 1, :y => 2)
i.set(:x => 4, :y => 5, :z => 6)
i.values.must_equal(:x => 4, :y => 5)
@c.dataset = @c.dataset.with_fetch(:y => 7)
i = @c.new
i.update(:y => 7, :z => 9)
i.values.must_equal(:y => 7)
DB.sqls.must_equal ["INSERT INTO blahblah (y) VALUES (7)", "SELECT * FROM blahblah WHERE id = 10"]
end
it "should have allowed take precedence over restricted when whitelist_security plugin is added first" do
@c = Class.new(Sequel::Model(:blahblah))
@c.class_eval do
plugin :whitelist_security
plugin :blacklist_security
set_primary_key :id
columns :x, :y, :z, :id
set_restricted_columns :y
self.strict_param_setting = false
end
@o1 = @c.new
DB.reset
@c.set_allowed_columns :x, :y
@c.set_restricted_columns :y, :z
i = @c.new(:x => 1, :y => 2, :z => 3)
i.values.must_equal(:x => 1, :y => 2)
i.set(:x => 4, :y => 5, :z => 6)
i.values.must_equal(:x => 4, :y => 5)
@c.dataset = @c.dataset.with_fetch(:y => 7)
i = @c.new
i.update(:y => 7, :z => 9)
i.values.must_equal(:y => 7)
DB.sqls.must_equal ["INSERT INTO blahblah (y) VALUES (7)", "SELECT * FROM blahblah WHERE id = 10"]
end
it "should freeze restricted_columns when freezing class" do
@c.set_restricted_columns :z
@c.freeze
@c.restricted_columns.frozen?.must_equal true
end
end
|
