Refactor to handle mass assignment security.

browsermedia · Mar 19, 2013 · c309693 · c309693
1 parent f92a42d
commit c309693
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 8 deletions.
diff --git a/app/models/cms/page_component.rb b/app/models/cms/page_component.rb
@@ -24,16 +24,20 @@ def save
 
         content_ids.each do |block_id|
           block = content_block_class.constantize.find(block_id)
-
-          block_attribute_names = block_type[1][block_id].keys
-          block_attribute_names.each do |attr_name|
-            # TODO: Mass assignment concern here...
-            block.send("#{attr_name}=".to_sym, block_type[1][block_id][attr_name][:value])
-          end
-          block.save!
+          assignment_hash = convert_mercury_params_to_assignment_hash(block_id, block_type)
+          block.update_attributes(assignment_hash)
         end
       end
       @page.save
     end
+
+    def convert_mercury_params_to_assignment_hash(block_id, block_type)
+      block_attribute_names = block_type[1][block_id].keys
+      assignment_hash = {}
+      block_attribute_names.each do |attr_name|
+        assignment_hash[attr_name] = block_type[1][block_id][attr_name][:value]
+      end
+      assignment_hash
+    end
   end
 end
diff --git a/test/unit/lib/cms/page_components_test.rb b/test/unit/lib/cms/page_components_test.rb
@@ -24,7 +24,7 @@ def setup
       assert_equal "New Title", Page.find(@page.id).draft.title
     end
 
-    test "#saves name and content for an HtmlBlock" do
+    test "Saves name and content for an HtmlBlock" do
       b = create(:html_block, name: "Old block name", content: "Old Content")
       @page.add_content(b)
       @page.save!
@@ -46,6 +46,29 @@ def setup
       assert_equal "New Content", updated_block.content
     end
 
+    test "Doesn't update protected attributes'" do
+      block_id = 12
+      msg_payload = {
+          "blocks" => {
+              "Cms::HtmlBlock" => {
+                  block_id => {
+                      "created_by_id" => {"type" => "full", "value" => 24},
+                  }
+              }
+          }}
+      mock_block = mock()
+      HtmlBlock.expects(:find).with(block_id).returns(mock_block)
+      mock_block.expects(:update_attributes).with({'created_by_id' => 24}).raises(ActiveModel::MassAssignmentSecurity::Error)
+
+      add_page_title(msg_payload)
+      c = PageComponent.new(@page.id, msg_payload)
+
+      assert_raises(ActiveModel::MassAssignmentSecurity::Error) do
+        c.save
+      end
+
+    end
+
     private
     # page_title is required. This is a pseudo factory for testing.
     def add_page_title(msg)