From bec07833a2fce4f99bb26d8906981a13d89504bb Mon Sep 17 00:00:00 2001 From: Dmitri Garbuzov Date: Wed, 21 Jul 2010 23:09:45 -0400 Subject: [PATCH] Disallowed mass assignment of some attributes (counts) --- app/models/choice.rb | 6 +++++- app/models/prompt.rb | 3 ++- app/models/question.rb | 6 +++++- spec/models/choice_spec.rb | 30 +++++++++++++++++++++++++++++- 4 files changed, 41 insertions(+), 4 deletions(-) diff --git a/app/models/choice.rb b/app/models/choice.rb index 442edeb..572ce19 100644 --- a/app/models/choice.rb +++ b/app/models/choice.rb @@ -16,6 +16,9 @@ class Choice < ActiveRecord::Base after_save :update_questions_counter + attr_protected :prompts_count, :votes_count, :loss_count, :wins, :losses, :score, + :prompts_on_the_right_count, :prompts_on_the_left_count + def update_questions_counter self.question.update_attribute(:inactive_choices_count, self.question.choices.inactive.length) end @@ -24,7 +27,8 @@ class Choice < ActiveRecord::Base def lose! Choice.increment_counter(:loss_count, self.id) self.loss_count +=1 # reflect the update just done above, so score is correct - Choice.update(self.id, :score => compute_score) + self.score = compute_score + self.save end def win! diff --git a/app/models/prompt.rb b/app/models/prompt.rb index e5bc269..227a358 100644 --- a/app/models/prompt.rb +++ b/app/models/prompt.rb @@ -23,7 +23,8 @@ class Prompt < ActiveRecord::Base named_scope :active, :include => [:left_choice, :right_choice], :conditions => { 'left_choice.active' => true, 'right_choice.active' => true } named_scope :ids_only, :select => 'id' - + attr_protected :votes_count, :left_choice_id, :right_choice_id + def self.voted_on_by(u) select {|z| z.voted_on_by_user?(u)} end diff --git a/app/models/question.rb b/app/models/question.rb index d637145..00fce0d 100644 --- a/app/models/question.rb +++ b/app/models/question.rb @@ -20,9 +20,13 @@ class Question < ActiveRecord::Base has_many :skips has_many :densities has_many :appearances - + attr_accessor :ideas after_create :create_choices_from_ideas + + attr_protected :votes_count, :inactive_choices_count, :choices_count, + :active_items_count, :prompts_count + def create_choices_from_ideas if ideas && ideas.any? ideas.each do |idea| diff --git a/spec/models/choice_spec.rb b/spec/models/choice_spec.rb index 11b6e48..0370c9b 100644 --- a/spec/models/choice_spec.rb +++ b/spec/models/choice_spec.rb @@ -23,12 +23,40 @@ describe Choice do :question => @question, :data => 'hi there' } + + @unreasonable_value = 9999 + @protected_attributes = {} + [ :prompts_count, + :votes_count, + :loss_count, + :wins, + :losses, + :score, + :prompts_on_the_right_count, + :prompts_on_the_left_count + ].each{|key| @protected_attributes[key] = @unreasonable_value} + end it "should create a new instance given valid attributes" do Choice.create!(@valid_attributes) end - + + it "should not manually set protected attributes when created" do + choice1 = Choice.create!(@valid_attributes.merge(@protected_attributes)) + @protected_attributes.each_key do |key| + choice1[key].should_not == @unreasonable_value + end + end + + it "should not allow mass assignment of protected attributes" do + choice1 = Choice.create!(@valid_attributes) + choice1.update_attributes(@protected_attributes) + @protected_attributes.each_key do |key| + choice1[key].should_not == @unreasonable_value + end + end + it "should deactivate a choice" do choice1 = Choice.create!(@valid_attributes.merge(:data => '1234')) choice1.deactivate! -- libgit2 0.21.2