Filter :id in User.build for now
Rails 4 seem to allow setting the id through supplied parameters The controllers ported to strong_parameters should guard against attacks over this vector, but I didn't want to remove the specs that test this here
This commit is contained in:
Jonne Haß
parent
659f0b96d4
commit
dc12479070
1 changed files with 2 additions and 2 deletions
|
|
@ -355,7 +355,7 @@ class User < ActiveRecord::Base
|
|||
|
||||
###Helpers############
|
||||
def self.build(opts = {})
|
||||
u = User.new(opts.except(:person))
|
||||
u = User.new(opts.except(:person, :id))
|
||||
u.setup(opts)
|
||||
u
|
||||
end
|
||||
|
|
@ -369,7 +369,7 @@ class User < ActiveRecord::Base
|
|||
errors = self.errors
|
||||
errors.delete :person
|
||||
return if errors.size > 0
|
||||
self.set_person(Person.new(opts[:person] || {} ))
|
||||
self.set_person(Person.new((opts[:person] || {}).except(:id)))
|
||||
self.generate_keys
|
||||
self
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue