From dc12479070c75ddbf59f3cd8b57037bed537713c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@mrzyx.de>
Date: Sun, 1 Sep 2013 15:59:35 +0200
Subject: [PATCH] Filter :id in User.build for now

Rails 4 seem to allow setting the id through supplied parameters
The controllers ported to strong_parameters should guard against
attacks over this vector, but I didn't want to remove the specs
that test this here
---
 app/models/user.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 162bfdfa6..9693b9ab3 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -355,7 +355,7 @@ class User < ActiveRecord::Base
 
   ###Helpers############
   def self.build(opts = {})
-    u = User.new(opts.except(:person))
+    u = User.new(opts.except(:person, :id))
     u.setup(opts)
     u
   end
@@ -369,7 +369,7 @@ class User < ActiveRecord::Base
     errors = self.errors
     errors.delete :person
     return if errors.size > 0
-    self.set_person(Person.new(opts[:person] || {} ))
+    self.set_person(Person.new((opts[:person] || {}).except(:id)))
     self.generate_keys
     self
   end