durable_parameters 0.2.3

data/Rakefile

@@ -0,0 +1,29 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+  require 'bundler/gem_tasks'
+rescue LoadError
+  raise 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'StrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc_main = 'README.md'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task :default => :test

data/app/params/account_params.rb.example

@@ -0,0 +1,38 @@
+# Example params class for Account model
+#
+# This file demonstrates how to define permitted attributes
+# for the Account model using declarative syntax.
+#
+# To use this example:
+# 1. Rename this file to account_params.rb
+# 2. Customize the allowed/denied attributes for your needs
+# 3. Use in your controller with: params.require(:account).transform_params()
+#
+# Advanced usage:
+# - Override params class: params.require(:account).transform_params(AdminAccountParams)
+# - Pass current_user (always allowed): params.require(:account).transform_params(current_user: current_user)
+# - Pass declared metadata: params.require(:account).transform_params(current_user: current_user, ip_address: request.ip)
+
+class AccountParams < ApplicationParams
+  # Allow these attributes for mass assignment
+  allow :first_name
+  allow :last_name
+  allow :email
+  allow :phone_number
+
+  # Explicitly deny sensitive attributes
+  deny :is_admin
+  deny :account_balance
+
+  # Action-specific permissions
+  # allow :published_at, only: [:create, :update]
+  # allow :view_count, except: :create
+
+  # Declare allowed metadata keys (current_user is always allowed)
+  # Any metadata passed to transform_params must be declared here
+  metadata :ip_address, :role
+
+  # Application-specific flags
+  flag :require_approval, true
+  flag :audit_changes, true
+end

data/app/params/application_params.rb

@@ -0,0 +1,16 @@
+# Base class for all param definitions
+# Inherit from this in your app/params/*.rb files to define
+# which attributes are permitted for mass assignment
+#
+# Example:
+#   class UserParams < ApplicationParams
+#     allow :first_name
+#     allow :last_name
+#     deny :is_admin
+#   end
+class ApplicationParams < ActionController::ApplicationParams
+  # Add common permitted attributes here
+  # For example:
+  # allow :created_at
+  # allow :updated_at
+end

data/lib/durable_parameters/adapters/hanami.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+require 'durable_parameters/core'
+
+module StrongParameters
+  module Adapters
+    # Hanami adapter for Strong Parameters
+    #
+    # This adapter integrates the core Strong Parameters functionality with
+    # Hanami applications, providing integration with Hanami actions and params.
+    #
+    # @example Basic usage in a Hanami action (Hanami 2.x)
+    #   require 'durable_parameters/adapters/hanami'
+    #
+    #   module MyApp
+    #     module Actions
+    #       module Users
+    #         class Create < MyApp::Action
+    #           include StrongParameters::Adapters::Hanami::Action
+    #
+    #           def handle(request, response)
+    #             user_params = strong_params(request.params).require(:user).permit(:name, :email)
+    #             # ... use user_params
+    #           end
+    #         end
+    #       end
+    #     end
+    #   end
+    #
+    # @example Basic usage in a Hanami action (Hanami 1.x)
+    #   require 'durable_parameters/adapters/hanami'
+    #
+    #   module Web
+    #     module Controllers
+    #       module Users
+    #         class Create
+    #           include Web::Action
+    #           include StrongParameters::Adapters::Hanami::Action
+    #
+    #           def call(params)
+    #             user_params = strong_params.require(:user).permit(:name, :email)
+    #             # ... use user_params
+    #           end
+    #         end
+    #       end
+    #     end
+    #   end
+    module Hanami
+      # Hanami-specific Parameters implementation
+      class Parameters < StrongParameters::Core::Parameters
+        # Hanami uses symbol keys by default
+        private
+
+        def normalize_key(key)
+          key.to_s
+        end
+      end
+
+      # Module to include in Hanami actions
+      module Action
+        # Access request parameters as a Strong Parameters object.
+        #
+        # For Hanami 2.x, pass the params object explicitly
+        # For Hanami 1.x, it will use the params from the action context
+        #
+        # @param params_obj [Object, nil] the params object (Hanami 2.x) or nil (Hanami 1.x)
+        # @return [Parameters] the request parameters wrapped in a Parameters object
+        def strong_params(params_obj = nil)
+          params_hash = if params_obj
+            # Hanami 2.x - params passed explicitly
+            params_obj.respond_to?(:to_h) ? params_obj.to_h : params_obj
+          elsif respond_to?(:params)
+            # Hanami 1.x - params available on action
+            params.respond_to?(:to_h) ? params.to_h : params
+          else
+            {}
+          end
+
+          ::StrongParameters::Adapters::Hanami::Parameters.new(params_hash)
+        end
+
+        # Alias for strong_params
+        alias sp strong_params
+
+        # Handle ParameterMissing errors (Hanami 2.x style)
+        def handle_parameter_missing(exception)
+          halt 400, { error: "Required parameter missing: #{exception.param}" }.to_json
+        end
+
+        # Handle ForbiddenAttributes errors (Hanami 2.x style)
+        def handle_forbidden_attributes(exception)
+          halt 400, { error: "Forbidden attributes in mass assignment" }.to_json
+        end
+
+        # Handle UnpermittedParameters errors (Hanami 2.x style)
+        def handle_unpermitted_parameters(exception)
+          halt 400, { error: "Unpermitted parameters: #{exception.params.join(', ')}" }.to_json
+        end
+
+        # Set up error handling when this module is included
+        def self.included(base)
+          # Set up automatic error handling if possible
+          if base.respond_to?(:handle_exception)
+            base.handle_exception StrongParameters::Core::ParameterMissing => :handle_parameter_missing
+            base.handle_exception StrongParameters::Core::ForbiddenAttributes => :handle_forbidden_attributes
+            base.handle_exception StrongParameters::Core::UnpermittedParameters => :handle_unpermitted_parameters
+          end
+        end
+      end
+
+      # Setup Hanami integration
+      def self.setup!(app = nil)
+        # Configure logging for unpermitted parameters in development
+        env = if app && app.respond_to?(:config)
+          app.config.env
+        elsif defined?(::Hanami) && ::Hanami.respond_to?(:env)
+          ::Hanami.env
+        else
+          ENV['HANAMI_ENV'] || ENV['RACK_ENV'] || 'development'
+        end
+
+        if env == 'development' || env == :development
+          ::StrongParameters::Adapters::Hanami::Parameters.action_on_unpermitted_parameters = :log
+          ::StrongParameters::Adapters::Hanami::Parameters.unpermitted_notification_handler = lambda do |keys|
+            # Try to get logger from Hanami
+            logger = if defined?(::Hanami) && ::Hanami.respond_to?(:logger)
+              ::Hanami.logger
+            elsif app && app.respond_to?(:logger)
+              app.logger
+            end
+
+            logger&.warn("Unpermitted parameters: #{keys.join(', ')}")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/durable_parameters/adapters/rage.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require 'durable_parameters/core'
+
+module StrongParameters
+  module Adapters
+    # Rage adapter for Strong Parameters
+    #
+    # This adapter integrates the core Strong Parameters functionality with
+    # Rage framework (a fast Rails-compatible web framework).
+    #
+    # @example Basic usage in a Rage controller
+    #   require 'durable_parameters/adapters/rage'
+    #
+    #   class UsersController < RageController::API
+    #     def create
+    #       user_params = params.require(:user).permit(:name, :email)
+    #       # ... use user_params
+    #     end
+    #   end
+    module Rage
+      # Rage-specific Parameters implementation
+      class Parameters < StrongParameters::Core::Parameters
+        # Rage uses string keys like Rails
+        private
+
+        def normalize_key(key)
+          key.to_s
+        end
+      end
+
+      # Controller integration module for Strong Parameters in Rage.
+      #
+      # This module provides the params method to controllers and handles
+      # ParameterMissing exceptions with a 400 Bad Request response.
+      module Controller
+        # Access request parameters as a Parameters object.
+        #
+        # @return [Parameters] the request parameters wrapped in a Parameters object
+        def params
+          @_strong_params ||= begin
+            # Get raw params from Rage controller
+            raw_params = if defined?(super)
+              super
+            else
+              {}
+            end
+
+            ::StrongParameters::Adapters::Rage::Parameters.new(raw_params)
+          end
+        end
+
+        # Set the parameters for this request.
+        #
+        # @param val [Hash, Parameters] the parameters to set
+        # @return [Parameters] the parameters
+        def params=(val)
+          @_strong_params = val.is_a?(Hash) ? ::StrongParameters::Adapters::Rage::Parameters.new(val) : val
+        end
+
+        # Handle parameter missing errors
+        def handle_parameter_missing(exception)
+          render json: { error: "Required parameter missing: #{exception.param}" }, status: 400
+        end
+
+        # Handle forbidden attributes errors
+        def handle_forbidden_attributes(exception)
+          render json: { error: "Forbidden attributes in mass assignment" }, status: 400
+        end
+
+        # Handle unpermitted parameters errors
+        def handle_unpermitted_parameters(exception)
+          render json: { error: "Unpermitted parameters: #{exception.params.join(', ')}" }, status: 400
+        end
+
+        # Set up error handling when this module is included
+        def self.included(base)
+          # Rage uses rescue_from for error handling (Rails-compatible)
+          if base.respond_to?(:rescue_from)
+            base.rescue_from StrongParameters::Core::ParameterMissing, with: :handle_parameter_missing
+            base.rescue_from StrongParameters::Core::ForbiddenAttributes, with: :handle_forbidden_attributes
+            base.rescue_from StrongParameters::Core::UnpermittedParameters, with: :handle_unpermitted_parameters
+          end
+        end
+      end
+
+      # Setup Rage integration
+      def self.setup!
+        # Configure logging for unpermitted parameters
+        # Rage uses RAGE_ENV environment variable
+        env = ENV['RAGE_ENV'] || ENV['RACK_ENV'] || 'development'
+
+        if env == 'development' || env == 'test'
+          ::StrongParameters::Adapters::Rage::Parameters.action_on_unpermitted_parameters = :log
+          ::StrongParameters::Adapters::Rage::Parameters.unpermitted_notification_handler = lambda do |keys|
+            # Rage has a logger available
+            logger = if defined?(::Rage) && ::Rage.respond_to?(:logger)
+              ::Rage.logger
+            elsif defined?(::Rage::Logger)
+              ::Rage::Logger.logger
+            end
+
+            logger&.warn("Unpermitted parameters: #{keys.join(', ')}")
+          end
+        end
+
+        # Integrate with Rage controllers if available
+        if defined?(::RageController::API)
+          ::RageController::API.include(Controller)
+        end
+
+        # Also integrate with base controller if available
+        if defined?(::Rage::Controller)
+          ::Rage::Controller.include(Controller)
+        end
+      end
+
+      # Convenience method for manual integration
+      def self.included(base)
+        base.include Controller
+      end
+    end
+  end
+end

data/lib/durable_parameters/adapters/rails.rb

@@ -0,0 +1,280 @@
+# frozen_string_literal: true
+
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'active_support/core_ext/array/wrap'
+require 'action_controller'
+require 'action_dispatch/http/upload'
+require 'durable_parameters/core'
+
+module StrongParameters
+  module Adapters
+    # Rails adapter for Strong Parameters
+    #
+    # This adapter integrates the core Strong Parameters functionality with
+    # Rails/ActionController, providing Rails-specific features like:
+    # - ActiveSupport::HashWithIndifferentAccess integration
+    # - ActionDispatch uploaded file support
+    # - Rack uploaded file support
+    # - ActiveSupport::Concern integration
+    # - Automatic controller integration
+    module Rails
+      # Extension module to add Durable Parameters functionality to Rails' ActionController::Parameters
+      module ParametersExtension
+        # Track the required key for automatic params class inference
+        attr_accessor :required_key
+
+        # Transform and permit parameters using a declarative params class.
+        #
+        # This method provides a declarative approach to parameter filtering using
+        # params classes. It automatically looks up the appropriate params class
+        # based on the required_key if not explicitly provided.
+        #
+        # Transformations defined in the params class are applied before filtering.
+        #
+        # @param params_class [Class, Symbol, nil] optional params class or :__infer__ (default)
+        # @param options [Hash] metadata and configuration options
+        # @return [ActionController::Parameters] permitted parameters
+        def transform_params(params_class = :__infer__, **options)
+          # Extract known options
+          action = options[:action]
+          additional_attrs = options[:additional_attrs] || []
+
+          # Infer params class from required_key if not explicitly provided
+          if params_class == :__infer__
+            if instance_variable_defined?(:@required_key) && @required_key
+              params_class = ::ActionController::ParamsRegistry.lookup(@required_key)
+            else
+              # If no required_key and no explicit params_class, return empty permitted params
+              return self.class.new.permit!
+            end
+          end
+
+          # Handle case where params_class is nil
+          if params_class.nil?
+            return self.class.new.permit!
+          end
+
+          # Validate metadata keys (excluding known options)
+          metadata_keys = options.keys - [:action, :additional_attrs]
+          validate_metadata_keys!(params_class, metadata_keys)
+
+          # Apply transformations first (before filtering)
+          transformed_hash = params_class.apply_transformations(self.to_unsafe_h, options)
+
+          # Create a new Parameters object from the transformed hash
+          transformed_params = self.class.new(transformed_hash)
+
+          # Get permitted attributes and apply them
+          permitted_attrs = params_class.permitted_attributes(action: action)
+          permitted_attrs += additional_attrs
+          transformed_params.permit(*permitted_attrs)
+        end
+
+        # Permit parameters using a registered params class for a model.
+        #
+        # This is a convenience method that looks up the params class for the given
+        # model name and applies it to permit parameters.
+        #
+        # @param model_name [Symbol, String] the model name to look up
+        # @param action [Symbol, String, nil] optional action for filtering
+        # @param additional_attrs [Array<Symbol>] additional attributes to permit
+        # @return [ActionController::Parameters] permitted parameters
+        def permit_by_model(model_name, action: nil, additional_attrs: [])
+          params_class = ::ActionController::ParamsRegistry.lookup(model_name)
+          transform_params(params_class, action: action, additional_attrs: additional_attrs)
+        end
+
+        # Override require to track the required_key for transform_params
+        def require(key)
+          value = super(key)
+          # Track the required key so transform_params can infer the params class
+          if value.is_a?(::ActionController::Parameters)
+            value.instance_variable_set(:@required_key, key.to_sym)
+          end
+          value
+        end
+
+        # Override slice to preserve required_key
+        def slice(*keys)
+          sliced = super(*keys)
+          if sliced.is_a?(::ActionController::Parameters)
+            sliced.instance_variable_set(:@required_key, @required_key)
+          end
+          sliced
+        end
+
+        private
+
+        # Validate that all provided metadata keys are allowed by the params class.
+        def validate_metadata_keys!(params_class, metadata_keys)
+          return if metadata_keys.empty?
+
+          disallowed_keys = metadata_keys.reject { |key| params_class.metadata_allowed?(key) }
+
+          return unless disallowed_keys.any?
+
+          # Build a helpful error message
+          keys_list = disallowed_keys.map(&:inspect).join(', ')
+          class_name = params_class.name
+
+          raise ArgumentError, <<~ERROR.strip
+            Metadata key(s) #{keys_list} not allowed for #{class_name}.
+
+            To fix this, declare them in your params class:
+
+              class #{class_name} < ApplicationParams
+                metadata #{disallowed_keys.map(&:inspect).join(', ')}
+              end
+
+            Note: :current_user is always allowed and doesn't need to be declared.
+          ERROR
+        end
+      end
+
+      # Rails-specific Parameters implementation (deprecated, kept for compatibility)
+      class Parameters < StrongParameters::Core::Parameters
+        # Override to use ActiveSupport::HashWithIndifferentAccess behavior
+        def initialize(attributes = nil)
+          @permitted = false
+          @required_key = nil
+
+          if attributes
+            # Convert to hash with indifferent access
+            hash = attributes.is_a?(Hash) ? attributes.with_indifferent_access : {}
+            hash.each { |k, v| self[k] = v }
+          end
+        end
+
+        # Access parameter value with indifferent access (string or symbol)
+        def [](key)
+          key = key.to_s if key.is_a?(Symbol)
+          convert_hashes_to_parameters(key, super(key))
+        end
+
+        def []=(key, value)
+          key = key.to_s if key.is_a?(Symbol)
+          super(key, value)
+        end
+
+        def has_key?(key)
+          key = key.to_s if key.is_a?(Symbol)
+          super(key)
+        end
+
+        alias key? has_key?
+        alias include? has_key?
+
+        def delete(key)
+          key = key.to_s if key.is_a?(Symbol)
+          super(key)
+        end
+
+        def fetch(key, *args)
+          key = key.to_s if key.is_a?(Symbol)
+          super(key, *args)
+        end
+
+        private
+
+        def normalize_key(key)
+          key.to_s
+        end
+
+        # Rails-specific permitted scalar types
+        PERMITTED_SCALAR_TYPES = (
+          StrongParameters::Core::Parameters::PERMITTED_SCALAR_TYPES + [
+            ActionDispatch::Http::UploadedFile,
+            Rack::Test::UploadedFile
+          ]
+        ).freeze
+
+        def permitted_scalar?(value)
+          PERMITTED_SCALAR_TYPES.any? { |type| value.is_a?(type) }
+        end
+      end
+
+      # Map core exceptions to ActionController namespace for compatibility
+      module ActionController
+        ParameterMissing = StrongParameters::Core::ParameterMissing
+        UnpermittedParameters = StrongParameters::Core::UnpermittedParameters
+
+        # Controller integration module for Strong Parameters in Rails.
+        #
+        # This module provides the params method to controllers and handles
+        # ParameterMissing exceptions with a 400 Bad Request response.
+        module StrongParameters
+          extend ActiveSupport::Concern
+
+          included do
+            rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+              render plain: "Required parameter missing: #{parameter_missing_exception.param}",
+                     status: :bad_request
+            end
+          end
+
+          # Access request parameters as a Parameters object.
+          #
+          # @return [Parameters] the request parameters wrapped in a Parameters object
+          def params
+            @_params ||= ::StrongParameters::Adapters::Rails::Parameters.new(request.parameters)
+          end
+
+          # Set the parameters for this request.
+          #
+          # @param val [Hash, Parameters] the parameters to set
+          # @return [Parameters] the parameters
+          def params=(val)
+            @_params = val.is_a?(Hash) ? ::StrongParameters::Adapters::Rails::Parameters.new(val) : val
+          end
+        end
+      end
+
+      # ActiveModel integration
+      module ActiveModel
+        ForbiddenAttributes = StrongParameters::Core::ForbiddenAttributes
+
+        # Protection module for Active Model mass assignment.
+        module ForbiddenAttributesProtection
+          # Check if parameters are permitted before mass assignment.
+          #
+          # @param options [Array] mass assignment options, first element should be attributes hash
+          # @return [Object] result of super if permitted
+          # @raise [ForbiddenAttributes] if parameters are not permitted
+          def sanitize_for_mass_assignment(*options)
+            new_attributes = options.first
+            if !new_attributes.respond_to?(:permitted?) || new_attributes.permitted?
+              super
+            else
+              raise ::StrongParameters::Core::ForbiddenAttributes
+            end
+          end
+        end
+      end
+
+      # Setup Rails integration
+      def self.setup!
+        # Extend the existing Rails ActionController::Parameters with our functionality
+        # Use prepend so our methods override existing ones
+        ::ActionController::Parameters.class_eval do
+          prepend StrongParameters::Adapters::Rails::ParametersExtension
+        end
+
+        # Add our new classes to ActionController namespace
+        ::ActionController.const_set(:ApplicationParams, ::StrongParameters::Core::ApplicationParams) unless ::ActionController.const_defined?(:ApplicationParams)
+        ::ActionController.const_set(:ParamsRegistry, ::StrongParameters::Core::ParamsRegistry) unless ::ActionController.const_defined?(:ParamsRegistry)
+
+        # Integrate with ActionController
+        ActiveSupport.on_load(:action_controller) do
+          include ::StrongParameters::Adapters::Rails::ActionController::StrongParameters
+        end
+
+        # Inject into ActiveModel using const_set (Ruby 3.5 compatible) - only if ActiveModel is loaded
+        if defined?(::ActiveModel)
+          ::ActiveModel.const_set(:ForbiddenAttributes, ::StrongParameters::Core::ForbiddenAttributes) unless ::ActiveModel.const_defined?(:ForbiddenAttributes)
+          ::ActiveModel.const_set(:ForbiddenAttributesProtection, ::StrongParameters::Adapters::Rails::ActiveModel::ForbiddenAttributesProtection) unless ::ActiveModel.const_defined?(:ForbiddenAttributesProtection)
+        end
+      end
+    end
+  end
+end