Filter :id in User.build for now
Rails 4 seem to allow setting the id through supplied parameters The controllers ported to strong_parameters should guard against attacks over this vector, but I didn't want to remove the specs that test this here
This commit is contained in:
Jonne Haß
parent
659f0b96d4
commit
dc12479070
1 changed files with 2 additions and 2 deletions
|
|
@ -355,7 +355,7 @@ class User < ActiveRecord::Base
|
||||||
|
|
||||||
###Helpers############
|
###Helpers############
|
||||||
def self.build(opts = {})
|
def self.build(opts = {})
|
||||||
u = User.new(opts.except(:person))
|
u = User.new(opts.except(:person, :id))
|
||||||
u.setup(opts)
|
u.setup(opts)
|
||||||
u
|
u
|
||||||
end
|
end
|
||||||
|
|
@ -369,7 +369,7 @@ class User < ActiveRecord::Base
|
||||||
errors = self.errors
|
errors = self.errors
|
||||||
errors.delete :person
|
errors.delete :person
|
||||||
return if errors.size > 0
|
return if errors.size > 0
|
||||||
self.set_person(Person.new(opts[:person] || {} ))
|
self.set_person(Person.new((opts[:person] || {}).except(:id)))
|
||||||
self.generate_keys
|
self.generate_keys
|
||||||
self
|
self
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue