require 'spec_helper'
module RailsBestPractices
module Reviews
describe ProtectMassAssignmentReview do
let(:runner) { Core::Runner.new(prepares: [Prepares::GemfilePrepare.new, Prepares::ConfigPrepare.new, Prepares::InitializerPrepare.new],
reviews: ProtectMassAssignmentReview.new) }
it "should protect mass assignment" do
content =<<-EOF
class User < ActiveRecord::Base
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(1)
expect(runner.errors[0].to_s).to eq("app/models/user.rb:1 - protect mass assignment")
end
it "should not protect mass assignment if attr_accessible is used with arguments and user set config.active_record.whitelist_attributes" do
content =<<-EOF
module RailsBestPracticesCom
class Application < Rails::Application
config.active_record.whitelist_attributes = true
end
end
EOF
runner.prepare('config/application.rb', content)
content =<<-EOF
class User < ActiveRecord::Base
attr_accessible :email, :password, :password_confirmation
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should not protect mass assignment if attr_accessible is used without arguments and user set config.active_record.whitelist_attributes" do
content =<<-EOF
module RailsBestPracticesCom
class Application < Rails::Application
config.active_record.whitelist_attributes = true
end
end
EOF
runner.prepare('config/application.rb', content)
content =<<-EOF
class User < ActiveRecord::Base
attr_accessible
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should not protect mass assignment with attr_protected if user set config.active_record.whitelist_attributes" do
content =<<-EOF
module RailsBestPracticesCom
class Application < Rails::Application
config.active_record.whitelist_attributes = true
end
end
EOF
runner.prepare('config/application.rb', content)
content =<<-EOF
class User < ActiveRecord::Base
attr_protected :role
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should not protect mass assignment if using devise" do
content =<<-EOF
class User < ActiveRecord::Base
devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 20
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should not protect mass assignment if using authlogic with configuration" do
content =<<-EOF
class User < ActiveRecord::Base
acts_as_authentic do |c|
c.my_config_option = my_value
end
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should not protect mass assignment if using authlogic without configuration" do
content =<<-EOF
class User < ActiveRecord::Base
acts_as_authentic
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should not protect mass assignment if checking non ActiveRecord::Base inherited model" do
content =<<-EOF
class User < Person
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
context "strong_parameters" do
it "should not protect mass assignment for strong_parameters" do
content =<<-EOF
class User < ActiveRecord::Base
include ActiveModel::ForbiddenAttributesProtection
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should not protect mass assignment for strong_parameters" do
content =<<-EOF
class AR
ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
end
EOF
runner.prepare('config/initializers/ar.rb', content)
content =<<-EOF
class User < ActiveRecord::Base
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
end
context "activerecord 4" do
it "should not protect mass assignment for activerecord 4" do
content =<<-EOF
GEM
remote: http://rubygems.org
specs:
activerecord (4.0.0)
EOF
runner.prepare('Gemfile.lock', content)
content =<<-EOF
class User < ActiveRecord::Base
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
it "should protect mass assignment for activerecord 3" do
content =<<-EOF
GEM
remote: http://rubygems.org
specs:
activerecord (3.2.13)
EOF
runner.prepare('Gemfile.lock', content)
content =<<-EOF
class User < ActiveRecord::Base
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(1)
end
end
it "should not check ignored files" do
runner = Core::Runner.new(prepares: [Prepares::GemfilePrepare.new, Prepares::ConfigPrepare.new, Prepares::InitializerPrepare.new],
reviews: ProtectMassAssignmentReview.new(ignored_files: /app\/models\/user\.rb/))
content =<<-EOF
class User < ActiveRecord::Base
end
EOF
runner.review('app/models/user.rb', content)
expect(runner.errors.size).to eq(0)
end
end
end
end