Rails 4.2 assoziation restriction is broken when invoking build

inossidabile / protector

Comfortable (seriously) white-list security restrictions for models on a field level

MIT License

270 stars 31 forks source link

Rails 4.2 assoziation restriction is broken when invoking build #60

Open toxix opened 9 years ago

toxix commented 9 years ago

Just tried to upgrade to Rails 4.2. When I'm calling build on a has_many assoziation, all the assoziated records are going to be unrestricted. Think this is potentially dangerous as I'm expecting associations of a protected model are protected.

f = Film.restrict!(User.first).first

f.images.first.protector_subject?
 # => true
f.images.build
f.images.first.protector_subject?
 # => false <<== should be true
f.images.protector_subject?
 # => true

This is not hapening with Rails 4.1.

toxix commented 9 years ago

Have a look at the failing tests for active record 4.2 when added to travis https://github.com/inossidabile/protector/pull/63