Prevent mass assignment to Post#last_noted_at (#2704).

app/models/post.rb

@@ -45,7 +45,7 @@ class Post < ActiveRecord::Base
   has_many :favorites, :dependent => :destroy
   validates_uniqueness_of :md5
   validate :post_is_not_its_own_parent
-  attr_accessible :source, :rating, :tag_string, :old_tag_string, :old_parent_id, :old_source, :old_rating, :last_noted_at, :parent_id, :has_embedded_notes, :as => [:member, :builder, :gold, :platinum, :janitor, :moderator, :admin, :default]
+  attr_accessible :source, :rating, :tag_string, :old_tag_string, :old_parent_id, :old_source, :old_rating, :parent_id, :has_embedded_notes, :as => [:member, :builder, :gold, :platinum, :janitor, :moderator, :admin, :default]
   attr_accessible :is_rating_locked, :is_note_locked, :as => [:builder, :janitor, :moderator, :admin]
   attr_accessible :is_status_locked, :as => [:admin]
 

test/functional/posts_controller_test.rb

@@ -103,6 +103,14 @@ class PostsControllerTest < ActionController::TestCase
         @post.reload
         assert_equal("bbb", @post.tag_string)
       end
+
+      should "ignore restricted params" do
+        post :update, {:id => @post.id, :post => {:last_noted_at => 1.minute.ago}}, {:user_id => @user.id}
+        assert_redirected_to post_path(@post)
+
+        @post.reload
+        assert_nil(@post.last_noted_at)
+      end
     end
 
     context "revert action" do

test/unit/post_test.rb

@@ -1723,5 +1723,9 @@ class PostTest < ActiveSupport::TestCase
       end
     end
   end
+
+  context "Mass assignment: " do
+    should_not allow_mass_assignment_of(:last_noted_at).as(:member)
+  end
 end