Merge pull request #23 from projecthydra/protect_attributes

Only attributes marked as editable should get set
samvera · Jan 2, 2014 · 2f7acbc · 2f7acbc
2 parents 2d0e414 + 88660d1
commit 2f7acbc
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ log/*.log
 pkg/
 spec/dummy
 Gemfile.lock
+gemfiles/*.lock
diff --git a/app/controllers/concerns/records_controller_behavior.rb b/app/controllers/concerns/records_controller_behavior.rb
@@ -69,9 +69,11 @@ def set_attributes
   end
 
   def collect_form_attributes
-    attributes = params[ActiveModel::Naming.singular(resource)]
+    raw_attributes = params[ActiveModel::Naming.singular(resource)]
+    # we could probably do this with strong parameters if the gemspec depends on Rails 4+
+    permitted_attributes = resource.terms_for_editing.each_with_object({}) { |key, attrs| attrs[key] = raw_attributes[key] if raw_attributes[key] }
     # removes attributes that were only changed by initialize_fields
-    attributes.reject { |key, value| resource[key].empty? and value == [""] }
+    permitted_attributes.reject { |key, value| resource[key].empty? and value == [""] }
   end
 
   # Override to redirect to an alternate location after create

diff --git a/spec/controllers/records_controller_spec.rb b/spec/controllers/records_controller_spec.rb
@@ -35,6 +35,12 @@
         response.should redirect_to("/catalog/#{assigns[:record].id}") 
         assigns[:record].title.should == ['My title']
       end
+      it "should not set attributes that aren't listed in terms_for_editing" do
+        # params[:audio][:collection_id] would be a good test, but that doesn't work in ActiveFedora 6.7
+        post :create, :type=>'Audio', :audio=>{isPartOf: 'my collection'}
+        response.should redirect_to("/catalog/#{assigns[:record].id}") 
+        expect(assigns[:record].isPartOf).to eq [] 
+      end
       it "should be successful with json" do
         post :create, :type=>'Audio', :audio=>{:title=>"My title"}, :format=>:json
         response.status.should == 201 

diff --git a/spec/support/audio.rb b/spec/support/audio.rb
@@ -9,8 +9,10 @@ class Audio < ActiveFedora::Base
   has_metadata "descMetadata", type: ActiveFedora::QualifiedDublinCoreDatastream
 
   validates_presence_of :title
+
+  # the isPartOf attribute should not get set, because it's not listed in "terms_for_editing"
+  has_attributes :title, :creator, :description, :subject, :isPartOf, datastream: "descMetadata", multiple: true
 
-  has_attributes :title, :creator, :description, :subject, datastream: "descMetadata", multiple: true
 
   def terms_for_editing
     [:title, :creator, :description, :subject]