cancan_strong_parameters 0.1.4 → 0.1.5

data/README.md

@@ -2,6 +2,8 @@
 
 CanCan and [strong_parameters](https://github.com/rails/strong_parameters) are friends now!
 
+[![Build Status](https://secure.travis-ci.org/colinyoung/cancan_strong_parameters.png)](http://travis-ci.org/colinyoung/cancan_strong_parameters)
+
 ## Authors
 
 The majority of this gem is credited to @mckeed, who posted this gist: https://gist.github.com/2878508
@@ -48,4 +50,8 @@ Run with `bundle exec rake test`.
 ## Changelog
 
 * Fixed some issues with nested form subfields in `permit_params`
-* Made compatible for nested forms
+* Made compatible for nested forms
+* Added default allows for _destroy.
+* Tests pass in Travis.
+* Fixes for irregular parameters posted like {"child_attributes" => {"0" => {}}}.
+* Fixed a major security problem where I was manually inserting IDs - should be allowed by default, but not manually added

data/lib/cancan_strong_parameters/controller.rb

@@ -1,7 +1,7 @@
 module CancanStrongParameters
   module Controller
     
-    HASH_DEFAULTS = [:_destroy, :_delete]
+    HASH_DEFAULTS = [:id, :_destroy, :_delete]
     
     module ClassMethods
       # Use this with CanCan's load_resource to permit a set of params before
@@ -76,7 +76,7 @@ module CancanStrongParameters
           
           prepend_before_filter :only => actions do
             resource_name = self.class.resource_name
-            self.params[resource_name] = params[resource_name].send method, *[*keys.flatten + @@defaults, @@hash]
+            self.params[resource_name] = params[resource_name].standardized.send method, *[*keys.flatten + @@defaults, @@hash]
           end
         elsif hash.present?
           prepend_before_filter :only => actions do
@@ -119,13 +119,28 @@ class Hash
     
     Hash.new.tap do |h|
       self.each do |k,v|
-        h[:"#{k}_attributes"] = self.delete(k).attributized + defaults
+        h[:"#{k}_attributes"] = self[k].attributized + defaults
+      end
+    end
+  end
+  
+  # Converts keyed nested_forms (like task_attributes: {"0" => {}}) to normal params arrays.
+  def to_parameter_array
+    return self if self.empty?
+    
+    return self unless (k = self.keys.first).is_a?(String) and k[0..3] == "new_" or k.is_i? or k.is_hex?
+    
+    Array.new.tap do |a|
+      self.each do |k,v|
+        a << v.standardized
       end
     end
   end
 end
 
 class Array
+  
+  # Attributizes each element in an array
   def attributized
     Array.new.tap do |a|
       self.each do |v|
@@ -134,4 +149,35 @@ class Array
       end
     end
   end
+end
+
+class ActiveSupport::HashWithIndifferentAccess
+  
+  # Takes params that are passed in for nested_forms (like the example below) and cleans them up.
+  #
+  # post: {
+  #   comments_attributes: {
+  #     "0" => {},
+  #     "1" => {},  
+  #     "new_23023032" => {}
+  #   }
+  # }
+  #
+  def standardized
+    ActionController::Parameters.new.tap do |h|
+      self.each do |k,v|
+        h[k] = v.is_a?(Hash) ? v.to_parameter_array : v
+      end
+    end
+  end
+end
+
+class String
+  def is_i?
+    !!(self =~ /^[-+]?[0-9]+$/)
+  end
+  
+  def is_hex?
+    !!(self =~ /^[0-9a-f]+$/)
+  end
 end

data/lib/cancan_strong_parameters/version.rb

@@ -1,3 +1,3 @@
 module CancanStrongParameters
-  VERSION = "0.1.4"
+  VERSION = "0.1.5"
 end

data/test/app/models/post.rb

@@ -1,6 +1,11 @@
 class Post
   include ActiveModel::Serialization
   include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::AttributeMethods
   
   attr_accessible :body, :content
+  
+  def initialize(attributes = {})
+    @attributes = attributes
+  end
 end

data/test/test_cancan_strong_parameters.rb

@@ -42,4 +42,87 @@ class PostsControllerTest < ActionController::TestCase
       ActiveSupport::HashWithIndifferentAccess.new(assigns(:post_attributes)),
       ActiveSupport::HashWithIndifferentAccess.new(params[:post])
   end
+  
+  test "can handle multiple items" do
+    params = {
+      post: {
+        title: "Hello",
+        comments_attributes: {
+          "0" => {
+            body: "Comment 1",
+            tags_attributes: {
+              "0" => {
+                name: "article"
+              },
+              "1" => {
+                name: "post"
+              },
+            }
+          },
+          "1" => {
+            body: "Comment 2"
+          },
+          "new_3904949" => {
+            body: "Comment 3"
+          }
+        }
+      }
+    }
+    
+    post :create, params
+    assert_equal \
+      ActiveSupport::HashWithIndifferentAccess.new(assigns(:post_attributes)),
+      ActiveSupport::HashWithIndifferentAccess.new({
+        title: "Hello",
+        comments_attributes: [
+          {
+            body: "Comment 1",
+            tags_attributes: [{
+                name: "article"
+              },
+              {
+                name: "post"
+              }
+            ]
+          },
+          {
+            body: "Comment 2"
+          },
+          {
+            body: "Comment 3"
+          }
+        ]
+      })
+  end
+  
+  test "can handle multiple items but with only new itesm" do
+    params = {
+      post: {
+        title: "Hello",
+        comments_attributes: {
+          "new_3904949" => {
+            body: "Comment 3",
+            tags_attributes: {
+              "new_23040234" => {
+                name: "article"
+              }
+            }
+          }
+        }
+      }
+    }
+    
+    post :create, params
+    assert_equal \
+      ActiveSupport::HashWithIndifferentAccess.new(assigns(:post_attributes)),
+      ActiveSupport::HashWithIndifferentAccess.new({
+        title: "Hello",
+        comments_attributes: [{
+          body: "Comment 3",
+          tags_attributes: [{
+              name: "article"
+          }]
+        }]
+      })
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cancan_strong_parameters
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
   prerelease: 
 platform: ruby
 authors: