validating belongs_to assocations #11
Comments
|
For me, when I try your example above the second comment create fails with an 'ActiveRecord::RecordInvalid: Validation failed: Article is invalid [ActsAsTenant]' error thrown by the gem. Are you sure you've set the current tenant, while attempting to create the second comment in your example? All scoping and validation requires a current_tenant to be set. |
|
Hi, I use rails 3.1.3 . Should that matter ? |
|
I have looked at the code from lines 68 to 83 in this file: I tried adding some print statements at line 78 but I don't see the code going into validation check at line 76. |
|
could you post a failing test that illustrates your scenario. Or make your code available? On my end scoping of |
|
Closing this.. |
Are the values in belongs_to association also validated to check if they belong to the same tenant ?
EXAMPLE :
Lets say there are 2 models as follows:
ARTICLE with id, tenant_id columns
COMMENT with id, article_id and tenant_id columns
ARTICLE has many COMMENTS and COMMENTS belongs to ARTICLE
There are 2 articles in database :
Article ( :id => 1, :tenant_id => 10)
Article ( :id => 2, :tenant_id => 8)
Now,
Comment.create! ( :article_id => 1, :tenant_id => 10) # This works since article #1 belongs to tenant #10
However,
Comment.create! ( :article_id => 2, :tenant_id => 10) # This still works even if article #2 does NOT belong to tenant #10
Shouldn't this fail since comment is being associated to an article that belongs to another tenant ?
Without this check, a malicious user can associate objects belonging to other tenants (and not within his tenant)....
The text was updated successfully, but these errors were encountered: