bullet_train-scope_validator 1.0.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +2 -1
  3. data/LICENSE.txt +1 -1
  4. data/README.md +7 -13
  5. data/lib/bullet_train/scope_validator/version.rb +1 -1
  6. data/lib/bullet_train/scope_validator.rb +2 -0
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ea9dcbec389cebbb7a24a9d868f080a27a11c29a39276e0dae7416b00265af9f
4
- data.tar.gz: 379772ea2451665352e8a824c60e71d246fbdaeb3dd400d68f8025250243866d
3
+ metadata.gz: 6e6ff9937e99a2db86d2a11e59c2ccb68bad991f08fa9001c0065a402831b7ef
4
+ data.tar.gz: baefbc0f181bd28ec6ef0599f23644e306d7f8f0bea9d5b8400c0dd06ca53c7f
5
5
  SHA512:
6
- metadata.gz: f991bdb484df712fa4020f39690a6d62b900a5c8d62e629bc00b7d8bd124346fe2a3652e1be0a230dbf7aa21a1352791f3727474d1aebc9aaf22735b57ccf2c7
7
- data.tar.gz: 8f7a628c033553e81313e42912567d16237212e284ff0eb7a270a22fa1ccbd026fb24734c53c7e56a3405f252372fde56075d154cb52bafca4a76698b5dd3325
6
+ metadata.gz: 8280fcc5d0c7108eecf676fb46091f7beba8d69f5ca717f170b00e06069197def6026f3fec272375dd8f499400ac99ee235417f2fd8192b6c6fe3085dc382793
7
+ data.tar.gz: 8b24138c75c75e34c763ac6d184401462a85b282f8a2f7618b26ee8faa3fa5e8b3ffaaea04737ff60f3d36437a10a6526898f4cb2daa5332cb5bdd08bc7dbd76
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- bullet_train-scope_validator (1.0.1)
4
+ bullet_train-scope_validator (1.2.0)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
@@ -36,6 +36,7 @@ GEM
36
36
  unicode-display_width (2.1.0)
37
37
 
38
38
  PLATFORMS
39
+ arm64-darwin-20
39
40
  arm64-darwin-21
40
41
 
41
42
  DEPENDENCIES
data/LICENSE.txt CHANGED
@@ -1,6 +1,6 @@
1
1
  The MIT License (MIT)
2
2
 
3
- Copyright (c) 2022 Andrew Culver
3
+ Copyright (c) 2022 Bullet Train, Inc.
4
4
 
5
5
  Permission is hereby granted, free of charge, to any person obtaining a copy
6
6
  of this software and associated documentation files (the "Software"), to deal
data/README.md CHANGED
@@ -1,13 +1,10 @@
1
1
  # Bullet Train Scope Validator
2
2
 
3
- Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID
4
- stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver).
3
+ Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver) and extracted from [Bullet Train](https://bullettrain.co).
5
4
 
6
5
  ## Illustrating the Problem
7
6
 
8
- By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a
9
- `belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed
10
- data from other tenants.
7
+ By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a `belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed data from other tenants.
11
8
 
12
9
  Consider the following example from a customer relationship management (CRM) system that two competitive companies use:
13
10
 
@@ -49,9 +46,7 @@ class DealsController < ApplicationController
49
46
  end
50
47
  ```
51
48
 
52
- ☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating
53
- the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate
54
- validation logic in our API controllers and other places. This is a responsibility of the model.
49
+ ☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate validation logic in our API controllers and other places. This is a responsibility of the model.
55
50
 
56
51
  ### Example Form
57
52
 
@@ -75,8 +70,7 @@ A malicious user can:
75
70
  - Inspect the DOM and replace the `<select>` element for `customer_id` with an `<input type="text">` element.
76
71
  - Set the value to any number, particularly numbers that are IDs they know don't belong to their account.
77
72
  - Submit the form to create the deal.
78
- - When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of
79
- another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
73
+ - When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
80
74
 
81
75
  ## Usage
82
76
 
@@ -92,7 +86,7 @@ gem "bullet_train-scope_validator"
92
86
 
93
87
  Then we add a `scope: true` validation and `def valid_customers` method in the model, like so:
94
88
 
95
- ```
89
+ ```ruby
96
90
  class Deal < ApplicationRecord
97
91
  belongs_to :team
98
92
  belongs_to :customer
@@ -105,13 +99,13 @@ class Deal < ApplicationRecord
105
99
  end
106
100
  ```
107
101
 
108
- Finally, we can also DRY up our form to use the same definition of valid options:
102
+ If you're wondering what the connection between `validates :customer, scope: true` and `def valid_customers` is, it's just a convention that the former will call the latter based on the name of the attibute being validated. We've favored a full-blown method definition for this instead of simply passing in a proc into the validator because having a method allows us to also DRY up our form view to use the same definition of valid options, like so:
109
103
 
110
104
  ```
111
105
  <%= form.collection_select(:customer_id, form.object.valid_customers, :id, :name) %>
112
106
  ```
113
107
 
114
- That's it. You're done! Any attempts to stuff IDs will be met with an "invalid" Active Record error message.
108
+ So with that, you're done! Any attempts to stuff IDs will be met with an "invalid" Active Record error message.
115
109
 
116
110
  ## Contributing
117
111
 
data/lib/bullet_train/scope_validator/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module BulletTrain
4
4
  module ScopeValidator
5
- VERSION = "1.0.1"
5
+ VERSION = "1.2.0"
6
6
  end
7
7
  end
data/lib/bullet_train/scope_validator.rb CHANGED
@@ -2,6 +2,8 @@
2
2
 
3
3
  require_relative "scope_validator/version"
4
4
 
5
+ require_relative "../validators/scope_validator"
6
+
5
7
  module BulletTrain
6
8
  module ScopeValidator
7
9
  class Error < StandardError; end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bullet_train-scope_validator
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Culver
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-01-15 00:00:00.000000000 Z
11
+ date: 2022-12-15 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Protect `belongs_to` attributes from ID stuffing.
14
14
  email:
@@ -52,7 +52,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
52
52
  - !ruby/object:Gem::Version
53
53
  version: '0'
54
54
  requirements: []
55
- rubygems_version: 3.2.22
55
+ rubygems_version: 3.3.7
56
56
  signing_key:
57
57
  specification_version: 4
58
58
  summary: Protect `belongs_to` attributes from ID stuffing.