attribute_ext 1.0.1 → 1.1.0

data/README.md

@@ -19,27 +19,52 @@ You can also install AttributeExt as a rails plugin by cloning the repository to
 `vendor/plugins`.
 
 
-Changelog
----------
+AttributeExt::SafeAttributes
+----------------------------
 
-Sep 1, 2011
+Protects attributes from mass assignment using rails mass assignment authorizer.
+Also support Proc blocks.
 
-HiddenAttributes works on included model when serializing to json by hooking 
-into serializable_hash now. Therefore it is possible to hide attributes when
-serializing to hash via serializable_hash method too. 
-But by default rules will not be checked on serializable_hash, you have to 
-add `:on_hash => true` to hide_attributes to enabled it for this rule.
+Examples:
 
-Update: SafeAttributes works now with Rails 3.1 mass_assignment_authorizer that 
-provides a role and pass this role to if and unless blocks as second
-parameter. Not tested but should also work with old mass_assignment_authorizer.
+Always allow mass assignment for attribute.
+
+	class User < ActiveRecord::Base
+	  safe_attributes :attribute
+	end
+
+Attributes 'login', 'admin' and 'status' can only be mass assigned if current 
+user is an admin.
+
+	class User < ActiveRecord::Base
+	  safe_attributes :login, :admin, :status, :if => Proc.new { User.current.admin? }
+	end
+  
+Message text can not be mass assigned when post is locked.
+
+	class Message < ActiveRecord::Base
+	  safe_attributes :text, :unless => Proc.new { |msg| msg.locked? }
+	end
+	
+With Rails 3 a role can be given when creating or updating an model. This 
+role will also be available in SafeAttributes.
+
+	class User < ActiveRecord::Base
+	  safe_attributes :login, :as => :admin
+	end
+	
+or
+
+	class User < ActiveRecord::Base
+	  safe_attributes :login, :if => Proc.new { |user,role| role == :admin }
+	end
 
 
 AttributeExt::HiddenAttributes
 ------------------------------
 
 Hides attributes when converting model to XML or JSON. Attributes can be 
-dynamically hidden using if or unless Procs.
+dynamically hidden using if or unless Procs. 
 
 Examples:
 
@@ -66,6 +91,16 @@ Only hide email when serialzing to json.
 	  hide_attributes :email, :if => Proc.new { |user, format| format == :json }
 	end
 	
+Simpler format conditions can be defined using :only and :except parameters:
+
+	class User < ActiveRecord::Base
+	  hide_attributes :email, :only => :json
+	  hide_attributes :special_attr, :except => [:xml, :json]
+	end
+	
+Both parameters accept single attributes and arrays. When :only or :except is 
+given the :on_hash option will be ignored.
+	
 Hide user_id if associated user model will be included. This rule will also
 apply when calling serializable_hash.
 
@@ -74,34 +109,32 @@ apply when calling serializable_hash.
 	  hide_attributes :user_id, :on_hash => true, :if => Proc.new { |event, format, opts| opts[:include].include?(:user) }
 	end
 
+By default rules *do not* apply when serializing to hash.
 
-AttributeExt::SafeAttributes
-----------------------------
 
-Protects attributes from mass assignment using rails mass assignment authorizer.
-Also support Proc blocks.
+Changelog
+---------
 
-Examples:
+Sep 22, 2011
 
-Always allow mass assignment for attribute.
+Nearly all features are successfully tested using a fake environment now.
+SafeAttributes provides a new quick role validation using the :as parameters and
+HiddenAttributes can apply rules only to specific formats via :only and :except 
+parameters.
 
-	class User < ActiveRecord::Base
-	  safe_attributes :attribute
-	end
+Sep 1, 2011
 
-Attributes 'login', 'admin' and 'status' can only be mass assigned if current 
-user is an admin.
+HiddenAttributes works on included model when serializing to json by hooking 
+into serializable_hash now. Therefore it is possible to hide attributes when
+serializing to hash via serializable_hash method too. 
+But by default rules will not be checked on serializable_hash, you have to 
+add `:on_hash => true` to hide_attributes to enabled it for this rule.
+
+Update: SafeAttributes works now with Rails 3.1 mass_assignment_authorizer that 
+provides a role and pass this role to if and unless blocks as second
+parameter. Not tested but should also work with old mass_assignment_authorizer.
 
-	class User < ActiveRecord::Base
-	  safe_attributes :login, :admin, :status, :if => Proc.new { User.current.admin? }
-	end
-  
-Message text can not be mass assigned when post is locked.
 
-	class Message < ActiveRecord::Base
-	  safe_attributes :text, :unless => Proc.new { |msg| msg.locked? }
-	end
-  
 License
 -------
 

data/attribute_ext.gemspec

@@ -3,7 +3,7 @@ $:.push File.expand_path("../lib", __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = "attribute_ext"
-  s.version     = "1.0.1"
+  s.version     = "1.1.0"
   s.authors     = ["Jan Graichen"]
   s.email       = ["jan.graichen@altimos.de"]
   s.homepage    = "https://github.com/jgraichen/attribute_ext"

data/init.rb

@@ -1,2 +1,5 @@
 
-require 'attribute_ext'
+require 'attribute_ext'
+
+ActiveRecord::Base.send :include, AttributeExt::HiddenAttributes
+ActiveRecord::Base.send :include, AttributeExt::SafeAttributes

data/lib/attribute_ext.rb

@@ -1,6 +1,4 @@
 
 require 'attribute_ext/hidden_attributes'
 require 'attribute_ext/safe_attributes'
-
-ActiveRecord::Base.send :include, AttributeExt::HiddenAttributes
-ActiveRecord::Base.send :include, AttributeExt::SafeAttributes
+require 'attribute_ext/railtie' if defined?(Rails)

data/lib/attribute_ext/hidden_attributes.rb

@@ -14,55 +14,68 @@ module AttributeExt
           @hidden_attributes
         else
           options = attrs.last.is_a?(Hash) ? attrs.pop : {}
-          @hidden_attributes << [attrs, options]
+          @hidden_attributes << [attrs, hide_attributes_opts(options)]
         end
       end
+      
+      private
+      def hide_attributes_opts(options)
+        opts = { :except => [], :only => [] }
+        opts[:except] += options[:except].is_a?(Array) ? options[:except] : [options[:except]] if options[:except]
+        opts[:only]   += options[:only].is_a?(Array)   ? options[:only]   : [options[:only]]   if options[:only]
+        opts[:if]     = options[:if] if options[:if].is_a?(Proc)
+        opts[:unless] = options[:unless] if options[:unless].is_a?(Proc)
+        
+        if opts[:except].empty? && opts[:only].empty?
+          opts[:except] += [:hash] unless options[:on_hash]
+        end
+        
+        opts
+      end
     end
   
     def to_xml_with_hidden_attrs(options = nil, &block)
       options ||= {}
-      options[:except] = [] unless options[:except].is_a?(Array)
-      options[:except] += hidden_attribute_names(:xml, options)
+      options[:except] = hidden_attribute_names(:xml, options)
       
       to_xml_without_hidden_attrs(options)
     end
   
     def as_json_with_hidden_attrs(options = nil, &block)
       options ||= {}
-      options[:except] = [] unless options[:except].is_a?(Array)
-      options[:except] += hidden_attribute_names(:json, options)
-      options[:hidden_attributes_json_export] = true
+      options[:except] = hidden_attribute_names(:json, options)
+      options[:hidden_attributes_format] = :json
             
       as_json_without_hidden_attrs(options)
     end
   
     def serializable_hash_with_hidden_attrs(options = nil)
       options ||= {}
-      options[:except] = [] unless options[:except].is_a?(Array)
-      if options[:hidden_attributes_json_export]
-        options[:except] += hidden_attribute_names(:json, options)
-      else
-        options[:except] += hidden_attribute_names(:hash, options)
-      end
+      options[:except] = hidden_attribute_names((options[:hidden_attributes_format] || :hash), options)
       
       serializable_hash_without_hidden_attrs(options)
     end
-  
-    private
     
-    def hidden_attribute_names(format, options)
-      names = []
+    def hidden_attribute_names(format, options = {})
+      if options[:except].is_a?(Array)
+        names = options[:except]
+      else
+        names = []
+        names += options[:except] if options[:except]
+      end
   
       self.class.hide_attributes.collect do |attrs, opts|
-        if (format != :hash or opts[:on_hash]) &&  # only apply rules on hashs when wanted
-            (opts[:if].nil? or hidden_attr_call_block(opts[:if], format, options)) &&       # if block
-            (opts[:unless].nil? or !hidden_attr_call_block(opts[:unless], format, options)) # unless block
-          names += attrs.collect(&:to_s)
-        end
+        next unless opts[:only].empty? or opts[:only].include?(format)
+        next unless opts[:except].empty? or !opts[:except].include?(format)
+        next unless opts[:if].nil? or hidden_attr_call_block(opts[:if], format, options)
+        next unless opts[:unless].nil? or !hidden_attr_call_block(opts[:unless], format, options)
+        
+        names += attrs.collect(&:to_s)
       end
       names.uniq
     end
-    
+  
+    private
     def hidden_attr_call_block(block, format, opts)
       case block.arity
       when 0

data/lib/attribute_ext/railtie.rb

@@ -0,0 +1,11 @@
+
+module AttributeExt
+  class Railtie < Rails::Railtie
+    initializer 'attribute_ext' do |app|
+      ActiveSupport.on_load :active_record do
+        ActiveRecord::Base.send :include, AttributeExt::HiddenAttributes
+        ActiveRecord::Base.send :include, AttributeExt::SafeAttributes
+      end
+    end
+  end
+end

data/lib/attribute_ext/safe_attributes.rb

@@ -2,6 +2,7 @@ module AttributeExt
   module SafeAttributes
     def self.included(base)
       base.extend(ClassMethods)
+      base.alias_method_chain :mass_assignment_authorizer, :safe_attrs
     end
 
     module ClassMethods
@@ -11,22 +12,38 @@ module AttributeExt
           @safe_attributes
         else
           options = attrs.last.is_a?(Hash) ? attrs.pop : {}
-          @safe_attributes << [attrs, options]
+          @safe_attributes << [attrs, safe_attributes_opts(options)]
         end
       end
+      
+      private
+      def safe_attributes_opts(options)
+        opts = { :as => [] }
+        opts[:as]    += options[:as].is_a?(Array) ? options[:as] : [options[:as]] if options[:as]
+        opts[:if]     = options[:if] if options[:if].is_a?(Proc)
+        opts[:unless] = options[:unless] if options[:unless].is_a?(Proc)
+        opts
+      end
+    end
+
+    def mass_assignment_authorizer_with_safe_attrs(role = nil)
+      attrs = role.nil? ? mass_assignment_authorizer_without_safe_attrs : mass_assignment_authorizer_without_safe_attrs(role)
+      attrs += safe_attribute_names(role ? role : :default)
     end
 
     def safe_attribute_names(role = :default)
       names = []
       self.class.safe_attributes.collect do |attrs, options|
-        if (options[:if].nil? || safe_attrs_call_block(options[:if], role)) &&        # if
-            (options[:unless].nil? || !safe_attrs_call_block(options[:unless], role)) # unless
-          names += attrs.collect(&:to_s)
-        end
+        next unless options[:as].empty? or options[:as].include?(role)
+        next unless options[:if].nil? or safe_attrs_call_block(options[:if], role)
+        next unless options[:unless].nil? or !safe_attrs_call_block(options[:unless], role)
+
+        names += attrs.collect(&:to_s)
       end
       names.uniq
     end
     
+    private
     def safe_attrs_call_block(block, role)
       case block.arity
       when 0
@@ -37,13 +54,5 @@ module AttributeExt
         return block.call(self, role)
       end
     end
-
-    def mass_assignment_authorizer(role = nil)
-      if role.nil?
-        super + safe_attribute_names(:default)
-      else
-        super(role) + safe_attribute_names(role)
-      end
-    end
   end
 end

data/spec/hidden_attributes_spec.rb

@@ -0,0 +1,151 @@
+
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe AttributeExt::HiddenAttributes do
+  
+  it 'can hide attributes always' do
+    user = User.new
+    
+    user.hidden_attribute_names(:format).should include('attribute')
+  end
+  
+  it 'can hide attributes using an if condition' do
+    user = User.new
+    user.hidden_attribute_names(:format).should_not include('attribute_if')
+    
+    user = User.new :if => true
+    user.hidden_attribute_names(:format).should include('attribute_if')
+  end
+  
+  it 'can hide attributes using an unless condition' do
+    user = User.new
+    user.hidden_attribute_names(:format).should_not include('attribute_unless')
+    
+    user = User.new :unless => false
+    user.hidden_attribute_names(:format).should include('attribute_unless')
+  end
+  
+  it 'can hide attributes using an if and unless condition' do
+    user = User.new
+    user.hidden_attribute_names(:format).should_not include('attribute_if_unless')
+    
+    user = User.new :if => true
+    user.hidden_attribute_names(:format).should_not include('attribute_if_unless')
+    
+    user = User.new :unless => false
+    user.hidden_attribute_names(:format).should_not include('attribute_if_unless')
+    
+    user = User.new :unless => false, :if => true
+    user.hidden_attribute_names(:format).should include('attribute_if_unless')
+  end
+  
+  it 'can hide attributes using an if condition with format argument' do
+    user = User.new
+    user.hidden_attribute_names(:not_format).should_not include('attribute_if_format')
+    user.hidden_attribute_names(:format).should include('attribute_if_format')
+  end
+  
+  it 'can hide attributes using an unless condition with format argument' do
+    user = User.new
+    user.hidden_attribute_names(:format).should_not include('attribute_unless_format')
+    user.hidden_attribute_names(:not_format).should include('attribute_unless_format')
+  end
+  
+  it 'can hide attributes using an if condition with options argument' do
+    user = User.new
+    user.hidden_attribute_names(:format, {:hide => true}).should_not include('attribute_if_opts')
+    user.hidden_attribute_names(:format, {:hide => false}).should include('attribute_if_opts')
+  end
+  
+  it 'can hide attributes using an unless condition with options argument' do
+    user = User.new
+    user.hidden_attribute_names(:format, {:hide => false}).should_not include('attribute_unless_opts')
+    user.hidden_attribute_names(:format, {:hide => true}).should include('attribute_unless_opts')
+  end
+  
+  it 'only applies rules to hash if wanted' do
+    user = User.new
+    user.hidden_attribute_names(:hash).should_not include('attribute')
+    user.hidden_attribute_names(:hash).should include('attribute_hash')
+  end
+  
+  it 'only applies rules to hash if wanted (if condition)' do
+    user = User.new :if => true
+    user.hidden_attribute_names(:hash).should_not include('attribute_if')
+    user.hidden_attribute_names(:hash).should include('attribute_if_hash')
+  end
+  
+  it 'only applies rules to hash if wanted (unless condition)' do
+    user = User.new :unless => false
+    user.hidden_attribute_names(:hash).should_not include('attribute_unless')
+    user.hidden_attribute_names(:hash).should include('attribute_unless_hash')
+  end
+  
+  it 'only applies rules to given format (only option)' do
+    formats = [:json, :hash, :xml]
+    user = User.new
+    
+    formats.each do |f|
+      formats.each do |f2|
+        if f == f2
+          user.hidden_attribute_names(f).should include("attribute_only_#{f2}")
+        else
+          user.hidden_attribute_names(f).should_not include("attribute_only_#{f2}")
+        end
+      end
+    end
+  end
+  
+  it 'only applies rules to given format (except option)' do
+    formats = [:json, :xml, :hash]
+    user = User.new
+    
+    formats.each do |f|
+      formats.each do |f2|
+        if f == f2
+          user.hidden_attribute_names(f).should_not include("attribute_except_#{f2}")
+        else
+          user.hidden_attribute_names(f).should include("attribute_except_#{f2}")
+        end
+      end
+    end
+  end
+  
+  it 'only applies rules to given formats (only option)' do
+    user = User.new
+    
+    user.hidden_attribute_names(:json).should_not include("attribute_only_xml_txt")
+    user.hidden_attribute_names(:hash).should_not include("attribute_only_xml_txt")
+    user.hidden_attribute_names(:xml).should include("attribute_only_xml_txt")
+    user.hidden_attribute_names(:txt).should include("attribute_only_xml_txt")
+  end
+  
+  it 'only applies rules to given formats (except option)' do
+    user = User.new
+    
+    user.hidden_attribute_names(:json).should include("attribute_except_xml_txt")
+    user.hidden_attribute_names(:hash).should include("attribute_except_xml_txt")
+    user.hidden_attribute_names(:xml).should_not include("attribute_except_xml_txt")
+    user.hidden_attribute_names(:txt).should_not include("attribute_except_xml_txt")
+  end
+  
+  it 'supports json export' do
+    user = User.new
+    user.hidden_attribute_names(:json).should == user.as_json[:except]
+  end
+  
+  it 'supports deep json export via serializable hash (depends on rails)' do
+    user = User.new
+    user.hidden_attribute_names(:json).should == user.as_json({:include => true})[:except]
+  end
+  
+  it 'supports xml export' do
+    user = User.new
+    user.hidden_attribute_names(:xml).should == user.to_xml[:except]
+  end
+  
+  it 'supports hash export' do
+    user = User.new
+    user.hidden_attribute_names(:hash).should == user.serializable_hash[:except]
+  end
+end

data/spec/safe_attributes_spec.rb

@@ -0,0 +1,65 @@
+
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe AttributeExt::HiddenAttributes do
+  
+  it 'uses mass assignment authorizer' do
+    user = User.new
+    
+    user.mass_assignment_authorizer.should include('always_there')
+  end
+  
+  it 'uses mass assignment authorizer with role' do
+    user = User.new
+    
+    user.mass_assignment_authorizer(:admin).should include('admin_role')
+  end
+  
+  it 'can whitelist attributes' do
+    user = User.new
+    
+    user.mass_assignment_authorizer.should include('always')
+  end
+  
+  it 'can whitelist attributes using an if condition' do
+    user = User.new
+    user.mass_assignment_authorizer.should_not include('attribute_if')
+    
+    user = User.new :if => true
+    user.mass_assignment_authorizer.should include('attribute_if')
+  end
+  
+  it 'can whitelist attributes using an unless condition' do
+    user = User.new
+    user.mass_assignment_authorizer.should_not include('attribute_unless')
+    
+    user = User.new :unless => false
+    user.mass_assignment_authorizer.should include('attribute_unless')
+  end
+  
+  it 'can whitelist attributes using an if and an unless condition' do
+    user = User.new
+    user.mass_assignment_authorizer.should_not include('attribute_if_unless')
+    user = User.new :if => true
+    user.mass_assignment_authorizer.should_not include('attribute_if_unless')
+    user = User.new :unless => false
+    user.mass_assignment_authorizer.should_not include('attribute_if_unless')
+    
+    user = User.new :if => true, :unless => false
+    user.mass_assignment_authorizer.should include('attribute_if_unless')
+  end
+  
+  it 'can whitelist attributes checking role in if condition' do
+    user = User.new
+    user.mass_assignment_authorizer(:default).should_not include('attribute_if_admin')
+    user = User.new
+    user.mass_assignment_authorizer(:admin).should include('attribute_if_admin')
+  end
+  
+  it 'can whitelist attributes checking role in unless condition' do
+    user = User.new
+    user.mass_assignment_authorizer(:default).should include('attribute_unless_admin')
+    user = User.new
+    user.mass_assignment_authorizer(:admin).should_not include('attribute_unless_admin')
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+
+require File.dirname(__FILE__) + '/support/fake_environment'
+require File.dirname(__FILE__) + '/../init'
+require File.dirname(__FILE__) + '/support/stub'
+
+RSpec.configure do |config|
+  config.mock_with :rspec
+end

data/spec/support/fake_environment.rb

@@ -0,0 +1,29 @@
+
+module ActiveRecord
+  class Base
+    def as_json(options)
+      if options[:include]
+        serializable_hash(options)
+      else
+        options
+      end
+    end
+    
+    def to_xml(options)
+      options
+    end
+    
+    def serializable_hash(options)
+      options
+    end
+    
+    def mass_assignment_authorizer(role = :default)
+      ['always_there', "role=#{role}"]
+    end
+    
+    def self.alias_method_chain(target, feature)
+      alias_method "#{target}_without_#{feature}", target
+      alias_method target, "#{target}_with_#{feature}"
+    end
+  end
+end

data/spec/support/stub.rb

@@ -0,0 +1,64 @@
+
+class User < ActiveRecord::Base
+  
+  attr_accessor :opts
+  
+  hide_attributes :attribute
+  hide_attributes :attribute_hash, :on_hash => true
+  
+  hide_attributes :attribute_if, 
+    :if => Proc.new { |user| user.opts[:if] }
+  hide_attributes :attribute_if_hash, :on_hash => true, 
+    :if => Proc.new { |user| user.opts[:if] }
+  
+  hide_attributes :attribute_unless, 
+    :unless => Proc.new { |user| user.opts[:unless] }
+  hide_attributes :attribute_unless_hash, :on_hash => true, 
+    :unless => Proc.new { |user| user.opts[:unless] }
+  
+  hide_attributes :attribute_if_unless, 
+    :if => Proc.new { |user| user.opts[:if] } , 
+    :unless => Proc.new { |user| user.opts[:unless] }
+    
+  hide_attributes :attribute_if_format, 
+    :if => Proc.new { |u,format| format == :format }
+  
+  hide_attributes :attribute_unless_format, 
+    :unless => Proc.new { |u,format| format == :format }
+  
+  hide_attributes :attribute_if_opts, 
+    :if => Proc.new { |u,format,opts| opts[:hide] == false }
+  
+  hide_attributes :attribute_unless_opts, 
+    :unless => Proc.new { |u,format,opts| opts[:hide] == false }
+    
+  hide_attributes :attribute_only_xml, :only => :xml
+  hide_attributes :attribute_only_json, :only => :json
+  hide_attributes :attribute_only_hash, :only => :hash
+  hide_attributes :attribute_except_xml, :except => :xml
+  hide_attributes :attribute_except_json, :except => :json
+  hide_attributes :attribute_except_hash, :except => :hash
+  hide_attributes :attribute_only_xml_txt, :only => [:xml, :txt]
+  hide_attributes :attribute_except_xml_txt, :except => [:xml, :txt]
+  
+  safe_attributes :always
+  safe_attributes :admin_role, :as => :admin
+  safe_attributes :attribute_if, 
+    :if => Proc.new { |user| user.opts[:if] }
+  safe_attributes :attribute_unless, 
+    :unless => Proc.new { |user| user.opts[:unless] }
+  safe_attributes :attribute_if_unless, 
+    :if => Proc.new { |user| user.opts[:if] }, 
+    :unless => Proc.new { |user| user.opts[:unless] }
+  safe_attributes :attribute_if_admin,
+    :if => Proc.new { |user,role| role == :admin}
+  safe_attributes :attribute_unless_admin,
+    :unless => Proc.new { |user,role| role == :admin}
+  
+  def initialize(opts = {})
+    @opts = {
+      :if => false,
+      :unless => true
+    }.merge(opts.is_a?(Hash) ? opts : {})
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: attribute_ext
 version: !ruby/object:Gem::Version 
-  hash: 21
+  hash: 19
   prerelease: 
   segments: 
   - 1
-  - 0
   - 1
-  version: 1.0.1
+  - 0
+  version: 1.1.0
 platform: ruby
 authors: 
 - Jan Graichen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-09-20 00:00:00 Z
+date: 2011-09-22 00:00:00 Z
 dependencies: []
 
 description: AttributeExt provides additional access control for rails model attributes.
@@ -36,7 +36,13 @@ files:
 - init.rb
 - lib/attribute_ext.rb
 - lib/attribute_ext/hidden_attributes.rb
+- lib/attribute_ext/railtie.rb
 - lib/attribute_ext/safe_attributes.rb
+- spec/hidden_attributes_spec.rb
+- spec/safe_attributes_spec.rb
+- spec/spec_helper.rb
+- spec/support/fake_environment.rb
+- spec/support/stub.rb
 homepage: https://github.com/jgraichen/attribute_ext
 licenses: []