bullet_train-scope_validator 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ea9dcbec389cebbb7a24a9d868f080a27a11c29a39276e0dae7416b00265af9f
4
- data.tar.gz: 379772ea2451665352e8a824c60e71d246fbdaeb3dd400d68f8025250243866d
3
+ metadata.gz: f7deee0cb7bca1d0e45c645f5845e598c6b7efa35da8d5bd21c9d2f3c0c0c0ee
4
+ data.tar.gz: 255b5f4fce08fa730d3280254b9d3b149775e849cf118410d73d59f901aa25cd
5
5
  SHA512:
6
- metadata.gz: f991bdb484df712fa4020f39690a6d62b900a5c8d62e629bc00b7d8bd124346fe2a3652e1be0a230dbf7aa21a1352791f3727474d1aebc9aaf22735b57ccf2c7
7
- data.tar.gz: 8f7a628c033553e81313e42912567d16237212e284ff0eb7a270a22fa1ccbd026fb24734c53c7e56a3405f252372fde56075d154cb52bafca4a76698b5dd3325
6
+ metadata.gz: 5f5b4778c1f8b4d48fa0ace2026f36fa7690f2b5692bbfec4fdb0a9cb8ebf8ebce7cb1b0df7c8a7a50f08f548c06d2448642798b644606df43abdaf1e777583e
7
+ data.tar.gz: 92c1011af64d3647dfc3ed183fafded26b962f0fce604f96b5928fdbe710b16e4addfd599b86f57a2343f0a7b9d79584dace0fadc9f5b6077ced4e86595080e2
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- bullet_train-scope_validator (1.0.1)
4
+ bullet_train-scope_validator (1.0.2)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
data/README.md CHANGED
@@ -1,13 +1,10 @@
1
1
  # Bullet Train Scope Validator
2
2
 
3
- Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID
4
- stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver).
3
+ Bullet Train Scope Validator provides a simple pattern for protecting `belongs_to` associations from malicious ID stuffing. It was created by [Andrew Culver](https://twitter.com/andrewculver) and extracted from [Bullet Train](https://bullettrain.co).
5
4
 
6
5
  ## Illustrating the Problem
7
6
 
8
- By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a
9
- `belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed
10
- data from other tenants.
7
+ By default in a multitenant Rails application, unless special care is given to validating the ID assigned to a `belongs_to` association, malicious users can stuff arbitrary IDs into their request and cause an application to bleed data from other tenants.
11
8
 
12
9
  Consider the following example from a customer relationship management (CRM) system that two competitive companies use:
13
10
 
@@ -49,9 +46,7 @@ class DealsController < ApplicationController
49
46
  end
50
47
  ```
51
48
 
52
- ☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating
53
- the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate
54
- validation logic in our API controllers and other places. This is a responsibility of the model.
49
+ ☝️ Note that Strong Parameters allows `customer_id` to be set by incoming requests and isn't responsible for validating the value. We also wouldn't _want_ Strong Parameters to be responible for this, since we'd end up with duplicate validation logic in our API controllers and other places. This is a responsibility of the model.
55
50
 
56
51
  ### Example Form
57
52
 
@@ -75,8 +70,7 @@ A malicious user can:
75
70
  - Inspect the DOM and replace the `<select>` element for `customer_id` with an `<input type="text">` element.
76
71
  - Set the value to any number, particularly numbers that are IDs they know don't belong to their account.
77
72
  - Submit the form to create the deal.
78
- - When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of
79
- another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
73
+ - When the deal is shown, it will say "We have a deal with Nintendo!", where "Nintendo" is actually the customer of another team in the system. ☠️ We've bled customer data across our application's tenant boundary.
80
74
 
81
75
  ## Usage
82
76
 
@@ -105,13 +99,13 @@ class Deal < ApplicationRecord
105
99
  end
106
100
  ```
107
101
 
108
- Finally, we can also DRY up our form to use the same definition of valid options:
102
+ If you're wondering what the connection between `validates :customer, scope: true` and `def valid_customers` is, it's just a convention that the former will call the latter based on the name of the attibute being validated. We've favored a full-blown method definition for this instead of simply passing in a proc into the validator because having a method allows us to also DRY up our form view to use the same definition of valid options, like so:
109
103
 
110
104
  ```
111
105
  <%= form.collection_select(:customer_id, form.object.valid_customers, :id, :name) %>
112
106
  ```
113
107
 
114
- That's it. You're done! Any attempts to stuff IDs will be met with an "invalid" Active Record error message.
108
+ So with that, you're done! Any attempts to stuff IDs will be met with an "invalid" Active Record error message.
115
109
 
116
110
  ## Contributing
117
111
 
@@ -2,6 +2,6 @@
2
2
 
3
3
  module BulletTrain
4
4
  module ScopeValidator
5
- VERSION = "1.0.1"
5
+ VERSION = "1.0.2"
6
6
  end
7
7
  end
@@ -2,6 +2,8 @@
2
2
 
3
3
  require_relative "scope_validator/version"
4
4
 
5
+ require_relative "../validators/scope_validator"
6
+
5
7
  module BulletTrain
6
8
  module ScopeValidator
7
9
  class Error < StandardError; end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bullet_train-scope_validator
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Culver
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-01-15 00:00:00.000000000 Z
11
+ date: 2022-01-16 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Protect `belongs_to` attributes from ID stuffing.
14
14
  email: