Merge pull request #11 from Current-RMS/rails-5-0

Fix `inheritance_column` attr isn't protected
westonganger · Oct 15, 2018 · bf7a82a · bf7a82a
2 parents e4e5ae9 + a48eeb8
commit bf7a82a
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 * Add Rails 5.2 support
 * Fix bug related to incorrect usage of options on the AR#new method
 * Use scope_for_create instead of create_scope in Rails 5.2+
+* Fix bug related to protection of `inheritance_column` attribute
 
 ## 1.3.0
 

diff --git a/lib/active_record/mass_assignment_security/inheritance.rb b/lib/active_record/mass_assignment_security/inheritance.rb
@@ -9,14 +9,7 @@ module ClassMethods
 
         # Detect the subclass from the inheritance column of attrs. If the inheritance column value
         # is not self or a valid subclass, raises ActiveRecord::SubclassNotFound
-        # If this is a StrongParameters hash, and access to inheritance_column is not permitted,
-        # this will ignore the inheritance column and return nil
-        def subclass_from_attributes?(attrs)
-          active_authorizer[:default].deny?(inheritance_column) ? nil : super
-        end
-
-        # Support Active Record <= 4.0.3, which uses the old method signature.
-        def subclass_from_attrs(attrs)
+        def subclass_from_attributes(attrs)
           active_authorizer[:default].deny?(inheritance_column) ? nil : super
         end
       end

diff --git a/test/attribute_sanitization_test.rb b/test/attribute_sanitization_test.rb
@@ -270,9 +270,7 @@ def test_protection_against_class_attribute_writers
   def test_new_with_protected_inheritance_column
     firm = Company.new(type: "Firm")
 
-    ### TEST IS FAILING, SO I MADE IT PASS
-    #assert_equal Company, firm.class #original line
-    assert_equal Firm, firm.class
+    assert_equal Company, firm.class
   end
 
   def test_new_with_accessible_inheritance_column