ardm-rails 1.2.1 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/Gemfile +4 -3
- data/README.rdoc +1 -1
- data/lib/dm-rails/configuration.rb +1 -1
- data/lib/dm-rails/mass_assignment_security.rb +75 -72
- data/lib/dm-rails/multiparameter_attributes.rb +1 -1
- data/lib/dm-rails/session_store.rb +12 -5
- data/lib/dm-rails/setup.rb +18 -11
- data/lib/dm-rails/storage.rb +6 -5
- data/lib/dm-rails/version.rb +1 -1
- data/spec/spec.opts +0 -1
- data/spec/unit/mass_assignment_security_spec.rb +37 -29
- data/spec/unit/multiparameter_attributes_spec.rb +2 -2
- metadata +2 -3
- data/VERSION +0 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2933e49f63b73ee07f74e9ff9a0dcb1694061d4d
|
4
|
+
data.tar.gz: 0585a03a45a67aa3d91a07dd10c3f78347e5c9aa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 587d9b29fdcde870d34e5fb8a19f10f5b12d4891f858eb5b8cd7f350fc503eab2df584d9f1363e252e310c326360c5390eb4a19f8eef506508795b4ee22182b3
|
7
|
+
data.tar.gz: f34b82f1552aa789167e7d5acd6ed6bdfeb082f5cd0bd17860c070ca6c05ea2dbd047efe8251c49c0e981355401a98506d2752c6165d4403662504ad481c0347
|
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
@@ -8,18 +8,19 @@ SOURCE = ENV.fetch('SOURCE', :git).to_sym
|
|
8
8
|
REPO_POSTFIX = SOURCE == :path ? '' : '.git'
|
9
9
|
DATAMAPPER = SOURCE == :path ? Pathname(__FILE__).dirname.parent : 'http://github.com/ar-dm'
|
10
10
|
DM_VERSION = '~> 1.2.0'
|
11
|
-
DO_VERSION = '~> 0.10.
|
12
|
-
RAILS_VERSION = '
|
11
|
+
DO_VERSION = '~> 0.10.12'
|
12
|
+
RAILS_VERSION = [ '>= 3.0', '< 5.0' ]
|
13
13
|
DM_DO_ADAPTERS = %w[ sqlite postgres mysql oracle sqlserver ]
|
14
14
|
CURRENT_BRANCH = ENV.fetch('GIT_BRANCH', 'master')
|
15
15
|
|
16
16
|
# DataMapper dependencies
|
17
|
-
gem 'ardm-core', DM_VERSION, SOURCE => "#{DATAMAPPER}/ardm-core#{REPO_POSTFIX}",
|
17
|
+
gem 'ardm-core', DM_VERSION, SOURCE => "#{DATAMAPPER}/ardm-core#{REPO_POSTFIX}", :branch => CURRENT_BRANCH
|
18
18
|
gem 'ardm-active_model', DM_VERSION, SOURCE => "#{DATAMAPPER}/ardm-active_model#{REPO_POSTFIX}", :branch => CURRENT_BRANCH
|
19
19
|
|
20
20
|
# Rails dependencies
|
21
21
|
gem 'actionpack', RAILS_VERSION, :require => 'action_pack'
|
22
22
|
gem 'railties', RAILS_VERSION, :require => 'rails'
|
23
|
+
gem 'protected_attributes'
|
23
24
|
|
24
25
|
group :datamapper do
|
25
26
|
adapters = ENV['ADAPTER'] || ENV['ADAPTERS']
|
data/README.rdoc
CHANGED
@@ -151,7 +151,7 @@ Using {bundler}[http://github.com/carlhuda/bundler] it's really easy to get an a
|
|
151
151
|
|
152
152
|
DataMapper supports connecting to and working with multiple repositories easily. In order to be able to take full advantage of that feature in rails, you can configure as many repositories for your different environments as you wish. All you need to do is follow some simple naming conventions and you're good to go. Have a look at the #{adapter}_defaults declarations in the sample files below. That's the only convention you need to follow. Your default declarations should always end with "defaults". This is necessary for dm-rails to not confuse these with any of your environment declarations. In fact, dm-rails looks at the content of your database.yml and rejects every key that matches /defaults/. The remaining entries represent the repository configurations for the available environments.
|
153
153
|
|
154
|
-
An example for setting up a single repository for every environment.
|
154
|
+
An example for setting up a single repository for every environment. This will setup an implicit 'default' repository.
|
155
155
|
|
156
156
|
defaults: &defaults
|
157
157
|
adapter: mysql
|
@@ -24,7 +24,7 @@ module Rails
|
|
24
24
|
environment, config = pair.first, pair.last
|
25
25
|
repositories[environment] = begin
|
26
26
|
c = config['repositories'] || {}
|
27
|
-
c['default']
|
27
|
+
c['default'] ||= config.except('repositories') if config.except('repositories')
|
28
28
|
normalize_repository_config(c)
|
29
29
|
end
|
30
30
|
repositories
|
@@ -3,87 +3,90 @@ require 'active_support/core_ext/class/attribute'
|
|
3
3
|
require 'active_support/concern'
|
4
4
|
require 'active_model'
|
5
5
|
|
6
|
-
|
7
|
-
module
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
6
|
+
if defined?(::ActiveModel::MassAssignmentSecurity)
|
7
|
+
module ActiveModel
|
8
|
+
module MassAssignmentSecurity
|
9
|
+
# Provides a patched version of the Sanitizer used in Rails to handle property
|
10
|
+
# and relationship objects as keys. There is no way to inject a custom sanitizer
|
11
|
+
# without reimplementing the permission sets.
|
12
|
+
Sanitizer.send(Sanitizer.is_a?(Module) ? :module_eval : :class_eval) do
|
13
|
+
# Returns all attributes not denied by the authorizer.
|
14
|
+
#
|
15
|
+
# @param [Hash{Symbol,String,::DataMapper::Property,::DataMapper::Relationship=>Object}] attributes
|
16
|
+
# Names and values of attributes to sanitize.
|
17
|
+
# @return [Hash]
|
18
|
+
# Sanitized hash of attributes.
|
19
|
+
def sanitize(attributes, authorizer = nil)
|
20
|
+
sanitized_attributes = attributes.reject do |key, value|
|
21
|
+
key_name = key.name rescue key
|
22
|
+
authorizer ? authorizer.deny?(key_name) : deny?(key_name)
|
23
|
+
end
|
24
|
+
debug_protected_attribute_removal(attributes, sanitized_attributes)
|
25
|
+
sanitized_attributes
|
22
26
|
end
|
23
|
-
debug_protected_attribute_removal(attributes, sanitized_attributes)
|
24
|
-
sanitized_attributes
|
25
27
|
end
|
26
28
|
end
|
27
29
|
end
|
28
|
-
end
|
29
30
|
|
30
|
-
module DataMapper
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
31
|
+
module DataMapper
|
32
|
+
# Include this module into a DataMapper model to enable ActiveModel's mass
|
33
|
+
# assignment security.
|
34
|
+
#
|
35
|
+
# To use second parameter of {#attributes=} make sure to include this module
|
36
|
+
# last.
|
37
|
+
module MassAssignmentSecurity
|
38
|
+
extend ::ActiveSupport::Concern
|
39
|
+
|
40
|
+
include ::ActiveModel::MassAssignmentSecurity
|
39
41
|
|
40
|
-
|
41
|
-
|
42
|
+
module ClassMethods
|
43
|
+
extend ::ActiveModel::MassAssignmentSecurity::ClassMethods
|
42
44
|
|
43
|
-
|
44
|
-
|
45
|
+
def logger
|
46
|
+
@logger ||= ::DataMapper.logger
|
47
|
+
end
|
45
48
|
end
|
46
|
-
end
|
47
49
|
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
50
|
+
# Sanitizes the specified +attributes+ according to the defined mass-assignment
|
51
|
+
# security rules and calls +super+ with the result.
|
52
|
+
#
|
53
|
+
# Use either +attr_accessible+ to specify which attributes are allowed to be
|
54
|
+
# assigned via {#attributes=}, or +attr_protected+ to specify which attributes
|
55
|
+
# are *not* allowed to be assigned via {#attributes=}.
|
56
|
+
#
|
57
|
+
# +attr_accessible+ and +attr_protected+ are mutually exclusive.
|
58
|
+
#
|
59
|
+
# @param [Hash{Symbol,String,::DataMapper::Property,::DataMapper::Relationship=>Object}] attributes
|
60
|
+
# Names and values of attributes to sanitize.
|
61
|
+
# @param [Boolean] guard_protected_attributes
|
62
|
+
# Determines whether mass-security rules are applied (when +true+) or not.
|
63
|
+
# @return [Hash]
|
64
|
+
# Sanitized hash of attributes.
|
65
|
+
# @api public
|
66
|
+
#
|
67
|
+
# @example [Usage]
|
68
|
+
# class User
|
69
|
+
# include DataMapper::Resource
|
70
|
+
# include DataMapper::MassAssignmentSecurity
|
71
|
+
#
|
72
|
+
# property :name, String
|
73
|
+
# property :is_admin, Boolean
|
74
|
+
#
|
75
|
+
# # Only allow name to be set via #attributes=
|
76
|
+
# attr_accessible :name
|
77
|
+
# end
|
78
|
+
#
|
79
|
+
# user = User.new
|
80
|
+
# user.attributes = { :username => 'Phusion', :is_admin => true }
|
81
|
+
# user.username # => "Phusion"
|
82
|
+
# user.is_admin # => false
|
83
|
+
#
|
84
|
+
# user.send(:attributes=, { :username => 'Phusion', :is_admin => true }, false)
|
85
|
+
# user.is_admin # => true
|
86
|
+
def attributes=(attributes, guard_protected_attributes = true)
|
87
|
+
attributes = sanitize_for_mass_assignment(attributes) if guard_protected_attributes
|
88
|
+
super(attributes)
|
89
|
+
end
|
87
90
|
end
|
88
91
|
end
|
89
92
|
end
|
@@ -13,8 +13,8 @@ module Rails
|
|
13
13
|
include ::DataMapper::Resource
|
14
14
|
|
15
15
|
property :id, Serial
|
16
|
-
property :session_id, String, :required => true, :unique => true
|
17
|
-
property :data, Object, :required =>
|
16
|
+
property :session_id, String, :required => true, :unique => true, :length => 0..150
|
17
|
+
property :data, Object, :required => false
|
18
18
|
property :updated_at, DateTime, :index => true
|
19
19
|
|
20
20
|
def self.name
|
@@ -27,7 +27,9 @@ module Rails
|
|
27
27
|
|
28
28
|
end
|
29
29
|
|
30
|
-
|
30
|
+
# for backward compatibility with Rails 3.0
|
31
|
+
ENV_SESSION_OPTIONS_KEY = ::Rack::Session::Abstract::ENV_SESSION_OPTIONS_KEY unless const_defined?("ENV_SESSION_OPTIONS_KEY")
|
32
|
+
SESSION_RECORD_KEY = 'rack.session.record'.freeze
|
31
33
|
|
32
34
|
class_attribute :session_class
|
33
35
|
self.session_class = Session
|
@@ -41,7 +43,7 @@ module Rails
|
|
41
43
|
[ sid, session.data ]
|
42
44
|
end
|
43
45
|
|
44
|
-
def set_session(env, sid, session_data)
|
46
|
+
def set_session(env, sid, session_data, options = {})
|
45
47
|
session = get_session_resource(env, sid)
|
46
48
|
session.data = session_data
|
47
49
|
session.updated_at = DateTime.now if session.dirty?
|
@@ -60,8 +62,13 @@ module Rails
|
|
60
62
|
self.class.session_class.first_or_new(:session_id => sid)
|
61
63
|
end
|
62
64
|
|
65
|
+
def destroy_session(env, sid = nil, options = {})
|
66
|
+
sid ||= current_session_id(env)
|
67
|
+
find_session(sid).destroy
|
68
|
+
end
|
69
|
+
|
63
70
|
def destroy(env)
|
64
|
-
|
71
|
+
destroy_session(env)
|
65
72
|
end
|
66
73
|
|
67
74
|
end
|
data/lib/dm-rails/setup.rb
CHANGED
@@ -5,25 +5,32 @@ require 'dm-rails/railties/log_listener'
|
|
5
5
|
|
6
6
|
module Rails
|
7
7
|
module DataMapper
|
8
|
-
|
9
8
|
def self.setup(environment)
|
10
9
|
::DataMapper.logger.info "[datamapper] Setting up the #{environment.inspect} environment:"
|
11
|
-
configuration.repositories[environment]
|
12
|
-
|
10
|
+
env = configuration.repositories[environment] ||= begin
|
11
|
+
database_url = ENV['DATABASE_URL']
|
12
|
+
if database_url.present?
|
13
|
+
{ 'default' => { 'url' => database_url } }
|
14
|
+
else
|
15
|
+
fail KeyError, "The environment #{environment} is unknown"
|
16
|
+
end
|
13
17
|
end
|
18
|
+
env.symbolize_keys.each { |pair| setup_with_instrumentation(*pair) }
|
14
19
|
finalize
|
15
20
|
end
|
16
21
|
|
17
22
|
def self.setup_with_instrumentation(name, options)
|
23
|
+
# The url option is the convention used by rails, while uri is legacy dm-rails
|
24
|
+
url = options.fetch('url', options['uri'])
|
25
|
+
args, database, adapter_name = if url
|
26
|
+
database_uri = ::Addressable::URI.parse(url)
|
27
|
+
[database_uri, database_uri.path[1..-1], database_uri.scheme]
|
28
|
+
else
|
29
|
+
[options, *options.values_at('database', 'adapter')]
|
30
|
+
end
|
18
31
|
|
19
|
-
|
20
|
-
|
21
|
-
::DataMapper.logger.info "[datamapper] Setting up #{name.inspect} repository: '#{database_uri.path}' on #{database_uri.scheme}"
|
22
|
-
::DataMapper.setup(name, database_uri)
|
23
|
-
else
|
24
|
-
::DataMapper.logger.info "[datamapper] Setting up #{name.inspect} repository: '#{options['database']}' on #{options['adapter']}"
|
25
|
-
::DataMapper.setup(name, options)
|
26
|
-
end
|
32
|
+
::DataMapper.logger.info "[datamapper] Setting up #{name.inspect} repository: '#{database}' on #{adapter_name}"
|
33
|
+
adapter = ::DataMapper.setup(name, args)
|
27
34
|
|
28
35
|
if convention = configuration.resource_naming_convention[name]
|
29
36
|
adapter.resource_naming_convention = convention
|
data/lib/dm-rails/storage.rb
CHANGED
@@ -167,13 +167,14 @@ module Rails
|
|
167
167
|
private
|
168
168
|
|
169
169
|
def execute(statement)
|
170
|
-
|
170
|
+
command = [
|
171
171
|
'mysql',
|
172
|
-
|
173
|
-
|
172
|
+
username.present? ? "--user=#{username}" : nil,
|
173
|
+
password.present? ? "--password=#{password}" : nil,
|
174
174
|
'-e',
|
175
|
-
statement
|
176
|
-
|
175
|
+
statement,
|
176
|
+
].compact
|
177
|
+
system(*command)
|
177
178
|
end
|
178
179
|
|
179
180
|
def collation
|
data/lib/dm-rails/version.rb
CHANGED
data/spec/spec.opts
CHANGED
@@ -1,43 +1,51 @@
|
|
1
1
|
require 'spec_helper'
|
2
|
+
|
3
|
+
begin
|
4
|
+
require 'protected_attributes'
|
5
|
+
rescue LoadError
|
6
|
+
end
|
7
|
+
|
2
8
|
require 'dm-rails/mass_assignment_security'
|
3
9
|
|
4
|
-
|
5
|
-
#
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
10
|
+
if defined?(DataMapper::MassAssignmentSecurity)
|
11
|
+
# Because mass-assignment security is based on ActiveModel we just have to
|
12
|
+
# ensure that ActiveModel is called.
|
13
|
+
describe DataMapper::MassAssignmentSecurity do
|
14
|
+
before :all do
|
15
|
+
class Fake
|
16
|
+
super_module = Module.new do
|
17
|
+
def _super_attributes=(*args)
|
18
|
+
end
|
12
19
|
|
13
|
-
|
14
|
-
|
20
|
+
def attributes=(*args)
|
21
|
+
self.send(:_super_attributes=, *args)
|
22
|
+
end
|
15
23
|
end
|
16
|
-
|
17
|
-
include super_module
|
24
|
+
include super_module
|
18
25
|
|
19
|
-
|
26
|
+
include ::DataMapper::MassAssignmentSecurity
|
27
|
+
end
|
20
28
|
end
|
21
|
-
end
|
22
29
|
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
+
describe '#attributes=' do
|
31
|
+
it 'calls super with sanitized attributes' do
|
32
|
+
attributes = { :name => 'John', :is_admin => true }
|
33
|
+
sanitized_attributes = { :name => 'John' }
|
34
|
+
model = Fake.new
|
35
|
+
model.should_receive(:sanitize_for_mass_assignment).with(attributes).and_return(sanitized_attributes)
|
36
|
+
model.should_receive(:_super_attributes=).with(sanitized_attributes)
|
30
37
|
|
31
|
-
|
32
|
-
|
38
|
+
model.attributes = attributes
|
39
|
+
end
|
33
40
|
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
41
|
+
it 'skips sanitation when called with true' do
|
42
|
+
attributes = { :name => 'John', :is_admin => true }
|
43
|
+
sanitized_attributes = { :name => 'John' }
|
44
|
+
model = Fake.new
|
45
|
+
model.should_receive(:_super_attributes=).with(attributes)
|
39
46
|
|
40
|
-
|
47
|
+
model.send(:attributes=, attributes, true)
|
48
|
+
end
|
41
49
|
end
|
42
50
|
end
|
43
51
|
end
|
@@ -108,7 +108,7 @@ describe Rails::DataMapper::MultiparameterAttributes do
|
|
108
108
|
and_return(attributes['composite'])
|
109
109
|
|
110
110
|
composite_property = mock(::DataMapper::Property)
|
111
|
-
composite_property.stub!(:
|
111
|
+
composite_property.stub!(:dump_class).and_return(::Rails::DataMapper::Models::Composite)
|
112
112
|
|
113
113
|
resource = ::Rails::DataMapper::Models::Fake.new
|
114
114
|
resource.stub!(:properties).and_return('composite' => composite_property)
|
@@ -127,7 +127,7 @@ describe Rails::DataMapper::MultiparameterAttributes do
|
|
127
127
|
should_receive(:new).with('a string').and_raise(composite_exception)
|
128
128
|
|
129
129
|
composite_property = mock(::DataMapper::Property)
|
130
|
-
composite_property.stub!(:
|
130
|
+
composite_property.stub!(:dump_class).and_return(::Rails::DataMapper::Models::Composite)
|
131
131
|
|
132
132
|
resource = ::Rails::DataMapper::Models::Fake.new
|
133
133
|
resource.stub!(:properties).and_return('composite' => composite_property)
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ardm-rails
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Martin Emde
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2015-01-
|
13
|
+
date: 2015-01-30 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: ardm-core
|
@@ -125,7 +125,6 @@ files:
|
|
125
125
|
- LICENSE
|
126
126
|
- README.rdoc
|
127
127
|
- Rakefile
|
128
|
-
- VERSION
|
129
128
|
- ardm-rails.gemspec
|
130
129
|
- lib/ardm-rails.rb
|
131
130
|
- lib/dm-rails.rb
|
data/VERSION
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
1.2.1
|