actioncontroller-parameter_filter 0.0.1

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in activerecord-parameter_filter.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Alex McHale
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,43 @@
+actioncontroller-parameter_filter
+=================================
+
+Summary
+-------
+
+ParameterFilter is a module to mix into ActionController subclasses. It inserts
+a before_filter which will automatically remove any fields in params that are
+not explicitly allowed.
+
+Installation
+------------
+
+Include the following in your Gemfile:
+
+    gem "actioncontroller-parameter_filter"
+
+Usage
+-----
+
+For global security, include the following in your ApplicationController:
+
+    include ParameterFilter
+
+Then, inside each of you controllers, specify what fields you want each action
+to receive:
+
+    # Accept user[email] and user[password] on the create and update actions.
+    accepts :fields => { :user => [ :email, :password ] }, :on => [ :create, :update ]
+
+    # Accept user[email] and user[password] on all actions.
+    accepts fields: { user: %w( email password ) } 
+
+    # Accept q on the search action.
+    accepts field: "q", on: "search"
+
+    # Accept q and sort on the search and index actions.
+    accepts fields: [ :q, :sort ], on: %w( search index )
+
+ParameterFilter should be pretty flexible in what you throw at it.
+
+NOTE: All actions are automatically allowed to receive :controller, :action and
+:id.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/actioncontroller-parameter_filter.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "actioncontroller-parameter_filter/version"
+
+Gem::Specification.new do |s|
+  s.name        = "actioncontroller-parameter_filter"
+  s.version     = Activerecord::ParameterFilter::VERSION
+  s.authors     = ["Alex McHale"]
+  s.email       = ["alex@anticlever.com"]
+  s.homepage    = ""
+  s.summary     = %q{A gem to easily filter out unwanted parameters in ActionController.}
+  s.description = %q{A gem to easily filter out unwanted parameters in ActionController.}
+
+  s.rubyforge_project = "actioncontroller-parameter_filter"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+  # s.add_runtime_dependency "rest-client"
+end

data/lib/actioncontroller-parameter_filter.rb

@@ -0,0 +1,106 @@
+require "actioncontroller-parameter_filter/version"
+
+# When a controller has ParameterFilter included, it will by default remove
+# everything from params. The way to receive parameters is to specifically
+# allow them with accept_fields.
+
+module ActionController
+
+  # accept_fields user: [ :email, :password ]
+  # accept_fields { user: { company: [ :name, :address ] }, on: [ :update, :create ]
+
+  module ParameterFilter
+
+    module ClassMethods
+
+      def accept_fields_parser fields
+        table = {}
+
+        [fields].flatten.compact.uniq.each do |field|
+          case field
+
+          when Symbol, String
+            table[field.to_s] = {}
+
+          when Hash
+            field.each do |key, value|
+              table[key.to_s] = accept_fields_parser value
+            end
+
+          end
+        end
+
+        table
+      end
+
+      def accepts options = {}
+        @_accepted_fields ||= { nil: { controller: {}, action: {}, id: {} } }
+        fields = options[:fields] || options[:field] || {}
+
+        case options[:on]
+        when Array
+          options[:on].each do |k|
+            @_accepted_fields[k.to_s] = accept_fields_parser fields
+          end
+
+        when Symbol, String
+          @_accepted_fields[options[:on].to_s] = accept_fields_parser fields
+
+        else
+          @_accepted_fields[nil] ||= {}
+          @_accepted_fields[nil].merge! accept_fields_parser fields
+
+        end
+      end
+
+    end
+
+    module InstanceMethods
+
+      def remove_filtered_parameters accepted_fields = nil, parameters = nil
+        if !accepted_fields && !parameters
+          accepted_fields = self.class.instance_variable_get("@_accepted_fields")
+          raise [ :af, accepted_fields ].inspect
+          fields = (accepted_fields[nil] || {}).merge(accepted_fields[self.action_name] || {})
+          remove_filtered_parameters fields, self.params
+        elsif parameters
+          accepted_keys = ParameterFilter.field_keys accepted_fields
+          accepted_keys += [ :controller, :action, :id ] if parameters == params
+          parameters.slice! *accepted_keys
+
+          ParameterFilter.each_field accepted_fields do |k, v|
+            remove_filtered_parameters v, parameters[k] if parameters[k].kind_of? Hash
+          end
+        end
+      end
+
+    end
+
+    def self.each_field fields
+      [ fields ].flatten.compact.uniq.each do |f|
+        case f
+        when Hash then f.each { |k, v| yield k, v }
+        when String, Symbol then yield f
+        end
+      end
+    end
+
+    def self.field_keys fields
+      fields.map do |field|
+        case field
+        when Array then field_keys field
+        when Hash then field.keys
+        else field
+        end
+      end.flatten.compact.uniq
+    end
+
+    def self.included base
+      base.send :extend, ClassMethods
+      base.send :include, InstanceMethods
+      base.send :before_filter, :remove_filtered_parameters
+    end
+
+  end
+
+end

data/lib/actioncontroller-parameter_filter/version.rb

@@ -0,0 +1,5 @@
+module Activerecord
+  module ParameterFilter
+    VERSION = "0.0.1"
+  end
+end

metadata

@@ -0,0 +1,53 @@
+--- !ruby/object:Gem::Specification
+name: actioncontroller-parameter_filter
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Alex McHale
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-03-26 00:00:00.000000000 Z
+dependencies: []
+description: A gem to easily filter out unwanted parameters in ActionController.
+email:
+- alex@anticlever.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.markdown
+- Rakefile
+- actioncontroller-parameter_filter.gemspec
+- lib/actioncontroller-parameter_filter.rb
+- lib/actioncontroller-parameter_filter/version.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: actioncontroller-parameter_filter
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: A gem to easily filter out unwanted parameters in ActionController.
+test_files: []