From 4c2d3e50c332c9e88847c2c50ce54bdd7b02f1cc Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Fri, 6 Feb 2015 17:13:13 +0100
Subject: [PATCH] Prevent given external id at object creation.

---
 app/controllers/application_controller.rb |  2 +-
 app/controllers/users_controller.rb       |  4 ++--
 app/models/application_model.rb           | 12 +++++++++++-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index fe2789135..2a32b3e78 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -264,7 +264,7 @@ class ApplicationController < ActionController::Base
     begin
 
       # create object
-      generic_object = object.new( object.param_cleanup( params[object.to_app_model_url] ) )
+      generic_object = object.new( object.param_cleanup( params[object.to_app_model_url], true ) )
 
       # save object
       generic_object.save!
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 6637ffa71..84ab2adaf 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -64,7 +64,7 @@ class UsersController < ApplicationController
   # @response_message 200 [User] Created User record.
   # @response_message 401        Invalid session.
   def create
-    user = User.new( User.param_cleanup(params) )
+    user = User.new( User.param_cleanup(params, true) )
 
     begin
       # check if it's first user
@@ -122,7 +122,7 @@ class UsersController < ApplicationController
         end
       end
 
-      user.save
+      user.save!
 
       # if first user was added, set system init done
       if count <= 2
diff --git a/app/models/application_model.rb b/app/models/application_model.rb
index 9594295bd..41736ea18 100644
--- a/app/models/application_model.rb
+++ b/app/models/application_model.rb
@@ -57,18 +57,28 @@ remove all not used model attributes of params
 
   result = Model.param_cleanup(params)
 
+  for object creation, ignore id's
+
+  result = Model.param_cleanup(params, true)
+
+
 returns
 
   result = params # params with valid attributes of model
 
 =end
 
-  def self.param_cleanup(params)
+  def self.param_cleanup(params, newObject = false)
 
     if params == nil
       raise "No params for #{self.to_s}!"
     end
 
+    # ignore id for new objects
+    if newObject && params[:id]
+      params[:id] = nil
+    end
+
     # only use object attributes
     data = {}
     self.new.attributes.each {|item|