Prevent mass assignment to Post#last_noted_at (#2704).

2016-10-06 03:03:08 +00:00
parent 6b6f78da57
commit ab5fd48280
3 changed files with 13 additions and 1 deletions
--- a/test/functional/posts_controller_test.rb
+++ b/test/functional/posts_controller_test.rb
@@ -103,6 +103,14 @@ class PostsControllerTest < ActionController::TestCase
        @post.reload
        assert_equal("bbb", @post.tag_string)
      end
+
+      should "ignore restricted params" do
+        post :update, {:id => @post.id, :post => {:last_noted_at => 1.minute.ago}}, {:user_id => @user.id}
+        assert_redirected_to post_path(@post)
+
+        @post.reload
+        assert_nil(@post.last_noted_at)
+      end
    end

    context "revert action" do