durable_parameters 0.2.3

data/lib/durable_parameters/core/params_registry.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module StrongParameters
+  module Core
+    # Singleton registry for storing and retrieving param class definitions.
+    #
+    # ParamsRegistry provides a central location to register and look up params
+    # classes for models. This enables automatic inference of params classes in
+    # transform_params based on the model name.
+    #
+    # @example Registering a params class
+    #   StrongParameters::Core::ParamsRegistry.register(:user, UserParams)
+    #
+    # @example Looking up a params class
+    #   StrongParameters::Core::ParamsRegistry.lookup(:user) # => UserParams
+    #
+    # @example Getting permitted attributes
+    #   StrongParameters::Core::ParamsRegistry.permitted_attributes_for(:user, action: :create)
+    class ParamsRegistry
+      class << self
+        # Register a params class for a model.
+        #
+        # The model name is normalized (underscored and symbolized) before storage.
+        #
+        # @param model_name [String, Symbol] the model name (e.g., 'User', 'Account')
+        # @param params_class [Class] the params class (e.g., UserParams)
+        # @return [Class] the registered params class
+        # @example
+        #   ParamsRegistry.register(:user, UserParams)
+        #   ParamsRegistry.register('BlogPost', BlogPostParams)
+        def register(model_name, params_class)
+          registry[normalize_key(model_name)] = params_class
+        end
+
+        # Look up the params class for a model.
+        #
+        # @param model_name [String, Symbol] the model name
+        # @return [Class, nil] the params class or nil if not found
+        # @example
+        #   ParamsRegistry.lookup(:user) # => UserParams
+        #   ParamsRegistry.lookup(:unknown) # => nil
+        def lookup(model_name)
+          registry[normalize_key(model_name)]
+        end
+
+        # Get permitted attributes for a model.
+        #
+        # @param model_name [String, Symbol] the model name
+        # @param action [Symbol, String, nil] optional action name for filtering
+        # @return [Array<Symbol, Hash>] array of permitted attributes
+        # @example
+        #   ParamsRegistry.permitted_attributes_for(:user)
+        #   ParamsRegistry.permitted_attributes_for(:post, action: :create)
+        def permitted_attributes_for(model_name, action: nil)
+          params_class = lookup(model_name)
+          return [] unless params_class
+
+          params_class.permitted_attributes(action: action)
+        end
+
+        # Check if a model has registered params.
+        #
+        # @param model_name [String, Symbol] the model name
+        # @return [Boolean] true if registered, false otherwise
+        # @example
+        #   ParamsRegistry.registered?(:user) # => true
+        #   ParamsRegistry.registered?(:unknown) # => false
+        def registered?(model_name)
+          registry.key?(normalize_key(model_name))
+        end
+
+        # Clear the registry.
+        #
+        # This is primarily useful for testing to ensure a clean slate between tests.
+        #
+        # @return [Hash] the empty registry
+        def clear!
+          registry.clear
+        end
+
+        # Get all registered model names.
+        #
+        # @return [Array<String>] array of model names as strings
+        # @example
+        #   ParamsRegistry.registered_models # => ["user", "post", "comment"]
+        def registered_models
+          registry.keys.map(&:to_s)
+        end
+
+        private
+
+        # @return [Hash<Symbol, Class>] the internal registry hash
+        def registry
+          @registry ||= {}
+        end
+
+        # Normalize a key by underscoring and symbolizing it.
+        #
+        # @param key [String, Symbol] the key to normalize
+        # @return [Symbol] the normalized key
+        # @example
+        #   normalize_key('BlogPost') # => :blog_post
+        #   normalize_key(:user) # => :user
+        def normalize_key(key)
+          key.to_s.gsub(/([A-Z])/) { "_#{$1.downcase}" }.gsub(/^_/, '').to_sym
+        end
+      end
+    end
+  end
+end

data/lib/durable_parameters/core.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Core framework-agnostic strong parameters implementation
+#
+# The core module provides all essential functionality without any framework dependencies:
+# - Parameters: Hash-based parameter filtering and whitelisting
+# - ApplicationParams: Declarative DSL for defining parameter permissions
+# - ParamsRegistry: Centralized registry for params classes
+# - ForbiddenAttributesProtection: Mass assignment protection mixin
+# - Configuration: Centralized configuration management
+require 'durable_parameters/core/configuration'
+require 'durable_parameters/core/parameters'
+require 'durable_parameters/core/application_params'
+require 'durable_parameters/core/params_registry'
+require 'durable_parameters/core/forbidden_attributes_protection'

data/lib/durable_parameters/log_subscriber.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'active_support/log_subscriber'
+require 'active_support/notifications'
+
+module StrongParameters
+  # Log subscriber for unpermitted parameters notifications.
+  #
+  # This subscriber listens for unpermitted parameter events and logs them
+  # using the configured logger. This is helpful for development and testing
+  # to identify parameters that need to be explicitly permitted.
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    # Handle unpermitted_parameters notification event.
+    #
+    # @param event [ActiveSupport::Notifications::Event] the notification event
+    # @return [void]
+    def unpermitted_parameters(event)
+      unpermitted_keys = event.payload[:keys]
+      debug("Unpermitted parameters: #{unpermitted_keys.join(', ')}")
+    end
+
+    # Returns the logger for this subscriber.
+    #
+    # @return [Logger] the Action Controller logger
+    def logger
+      ActionController::Base.logger
+    end
+  end
+end
+
+# Only attach if ActionController is loaded (Rails environment)
+if defined?(ActionController)
+  StrongParameters::LogSubscriber.attach_to :action_controller
+end

data/lib/durable_parameters/railtie.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'rails/railtie'
+require 'durable_parameters/adapters/rails'
+
+module StrongParameters
+  # Rails integration for Strong Parameters.
+  #
+  # This railtie configures Strong Parameters within Rails applications,
+  # setting up generators, autoload paths, and parameter logging.
+  class Railtie < ::Rails::Railtie
+    # Setup Rails adapter
+    config.before_initialize do
+      StrongParameters::Adapters::Rails.setup!
+    end
+
+    # Configure scaffold generator to use strong_parameters controller template
+    if config.respond_to?(:app_generators)
+      config.app_generators.scaffold_controller = :strong_parameters_controller
+    else
+      config.generators.scaffold_controller = :strong_parameters_controller
+    end
+
+    # Configure action on unpermitted parameters (log in dev/test, silent in production)
+    initializer 'strong_parameters.config', before: 'action_controller.set_configs' do |app|
+      StrongParameters::Adapters::Rails::Parameters.action_on_unpermitted_parameters =
+        app.config.action_controller.delete(:action_on_unpermitted_parameters) do
+          (Rails.env.test? || Rails.env.development?) ? :log : false
+        end
+    end
+
+    # Add app/params directory to autoload paths for params classes
+    initializer 'strong_parameters.autoload_params' do |app|
+      params_path = app.root.join('app', 'params')
+
+      # Add to autoload paths if directory exists
+      if params_path.directory?
+        ActiveSupport::Dependencies.autoload_paths << params_path.to_s
+      end
+    end
+
+    # Automatically load and register all params classes after Rails initialization
+    config.after_initialize do |app|
+      params_path = app.root.join('app', 'params')
+
+      next unless params_path.directory?
+
+      # Load all params class files
+      Dir[params_path.join('**', '*_params.rb')].each do |file|
+        require_dependency file
+      end
+
+      # Register all ApplicationParams subclasses with the registry
+      next unless defined?(StrongParameters::Core::ApplicationParams)
+
+      StrongParameters::Core::ApplicationParams.descendants.each do |params_class|
+        # Extract model name from class name (e.g., UserParams -> User)
+        next unless params_class.name =~ /(.+)Params$/
+
+        model_name = ::Regexp.last_match(1)
+        StrongParameters::Core::ParamsRegistry.register(model_name, params_class)
+      end
+    end
+  end
+end

data/lib/durable_parameters/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+# Durable Parameters version information.
+module DurableParameters
+  # Current version of the durable_parameters gem
+  VERSION = '0.2.3'
+end

data/lib/durable_parameters.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+# Strong Parameters provides a whitelist-based approach to mass assignment protection.
+#
+# This gem provides a framework-agnostic approach to parameter filtering and mass
+# assignment protection, with adapters for various Ruby web frameworks including
+# Rails, Sinatra, Hanami, and Rage.
+#
+# @see StrongParameters::Core::Parameters
+# @see StrongParameters::Core::ApplicationParams
+# @see StrongParameters::Core::ParamsRegistry
+
+require 'durable_parameters/version'
+require 'durable_parameters/core'
+
+# Auto-detect and load framework adapter
+if defined?(Rails)
+  # Rails is loaded - use Rails adapter
+  require 'durable_parameters/railtie'
+  require 'durable_parameters/log_subscriber'
+elsif defined?(Sinatra)
+  # Sinatra is loaded - auto-setup Sinatra adapter
+  require 'durable_parameters/adapters/sinatra'
+elsif defined?(Hanami)
+  # Hanami is loaded - auto-setup Hanami adapter
+  require 'durable_parameters/adapters/hanami'
+  StrongParameters::Adapters::Hanami.setup!
+elsif defined?(Rage) || defined?(RageController)
+  # Rage is loaded - auto-setup Rage adapter
+  require 'durable_parameters/adapters/rage'
+  StrongParameters::Adapters::Rage.setup!
+end
+
+# Provide top-level convenience aliases
+module StrongParameters
+  # Convenience aliases for core classes
+  Parameters = Core::Parameters unless defined?(Parameters)
+  ApplicationParams = Core::ApplicationParams unless defined?(ApplicationParams)
+  ParamsRegistry = Core::ParamsRegistry unless defined?(ParamsRegistry)
+  ForbiddenAttributesProtection = Core::ForbiddenAttributesProtection unless defined?(ForbiddenAttributesProtection)
+end

data/lib/generators/rails/USAGE

@@ -0,0 +1,12 @@
+Description:
+    Stubs out a scaffolded controller and its views. Different from rails
+    scaffold_controller, it uses strong_parameters to whitelist permissible
+    attributes in a private method.
+    Pass the model name, either CamelCased or under_scored. The controller
+    name is retrieved as a pluralized version of the model name.
+
+    To create a controller within a module, specify the model name as a
+    path like 'parent_module/controller_name'.
+
+    This generates a controller class in app/controllers and invokes helper,
+    template engine and test framework generators.

data/lib/generators/rails/durable_parameters_controller_generator.rb

@@ -0,0 +1,17 @@
+require 'rails/version'
+require 'rails/generators/rails/scaffold_controller/scaffold_controller_generator'
+
+module Rails
+  module Generators
+    class StrongParametersControllerGenerator < ScaffoldControllerGenerator
+      argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
+      source_root File.expand_path("../templates", __FILE__)
+
+      if ::Rails::VERSION::STRING < '3.1'
+        def module_namespacing
+          yield if block_given?
+        end
+      end
+    end
+  end
+end

data/lib/generators/rails/templates/controller.rb

@@ -0,0 +1,94 @@
+<% module_namespacing do -%>
+class <%= controller_class_name %>Controller < ApplicationController
+  # GET <%= route_url %>
+  # GET <%= route_url %>.json
+  def index
+    @<%= plural_table_name %> = <%= orm_class.all(class_name) %>
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: <%= "@#{plural_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/1
+  # GET <%= route_url %>/1.json
+  def show
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/new
+  # GET <%= route_url %>/new.json
+  def new
+    @<%= singular_table_name %> = <%= orm_class.build(class_name) %>
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/1/edit
+  def edit
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+  end
+
+  # POST <%= route_url %>
+  # POST <%= route_url %>.json
+  def create
+    @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
+
+    respond_to do |format|
+      if @<%= orm_instance.save %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully created.'" %> }
+        format.json { render json: <%= "@#{singular_table_name}" %>, status: :created, location: <%= "@#{singular_table_name}" %> }
+      else
+        format.html { render action: "new" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # PATCH/PUT <%= route_url %>/1
+  # PATCH/PUT <%= route_url %>/1.json
+  def update
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+
+    respond_to do |format|
+      if @<%= orm_instance.update("#{singular_table_name}_params") %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
+        format.json { head :no_content }
+      else
+        format.html { render action: "edit" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE <%= route_url %>/1
+  # DELETE <%= route_url %>/1.json
+  def destroy
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    @<%= orm_instance.destroy %>
+
+    respond_to do |format|
+      format.html { redirect_to <%= index_helper %>_url }
+      format.json { head :no_content }
+    end
+  end
+
+  private
+
+    # Use this method to whitelist the permissible parameters. Example:
+    # params.require(:person).permit(:name, :age)
+    # Also, you can specialize this method with per-user checking of permissible attributes.
+    def <%= "#{singular_table_name}_params" %>
+      params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
+    end
+end
+<% end -%>

data/lib/legacy/action_controller/application_params.rb

@@ -0,0 +1,235 @@
+# frozen_string_literal: true
+
+require 'set'
+
+module ActionController
+  # Base class for declarative parameter permission definitions.
+  #
+  # ApplicationParams provides a DSL for defining which attributes are allowed
+  # or denied for mass assignment in controllers. This enables a centralized,
+  # declarative approach to parameter filtering that's more maintainable than
+  # inline permit() calls.
+  #
+  # @example Basic usage
+  #   class UserParams < ApplicationParams
+  #     allow :name
+  #     allow :email
+  #     deny :is_admin
+  #   end
+  #
+  # @example With action-specific permissions
+  #   class PostParams < ApplicationParams
+  #     allow :title
+  #     allow :body
+  #     allow :published, only: :create
+  #     allow :view_count, except: :create
+  #   end
+  #
+  # @example With metadata declaration
+  #   class AccountParams < ApplicationParams
+  #     allow :name
+  #     metadata :ip_address, :role
+  #   end
+  class ApplicationParams
+    class << self
+      # Returns the list of allowed attributes.
+      #
+      # @return [Array<Symbol>] array of allowed attribute names
+      def allowed_attributes
+        @allowed_attributes ||= []
+      end
+
+      # Returns the list of denied attributes.
+      #
+      # @return [Array<Symbol>] array of denied attribute names
+      def denied_attributes
+        @denied_attributes ||= []
+      end
+
+      # Returns the flags hash.
+      #
+      # @return [Hash<Symbol, Object>] hash of flag names to values
+      def flags
+        @flags ||= {}
+      end
+
+      # Returns the set of allowed metadata keys.
+      #
+      # @return [Set<Symbol>] set of allowed metadata key names
+      # @note :current_user is always implicitly allowed
+      def allowed_metadata
+        @allowed_metadata ||= Set.new
+      end
+
+      # DSL method to allow an attribute
+      # @param attribute [Symbol, String, Hash] the attribute name to allow, or a hash for arrays
+      # @param options [Hash] additional options
+      #   - :only - only allow this attribute for these actions
+      #   - :except - allow this attribute except for these actions
+      #   - :array - if true, permit an array of scalar values
+      # Examples:
+      #   allow :name                           # permits scalar name
+      #   allow :tags, array: true              # permits array of scalars
+      #   allow :tags, only: :create            # only for create action
+      def allow(attribute, options = {})
+        attribute = attribute.to_sym
+        allowed_attributes << attribute unless allowed_attributes.include?(attribute)
+
+        # Store any additional options for this attribute
+        if options.any?
+          @attribute_options ||= {}
+          # Normalize :only and :except to arrays for consistency
+          normalized_options = options.dup
+          [:only, :except].each do |key|
+            if normalized_options[key] && !normalized_options[key].is_a?(Array)
+              normalized_options[key] = [normalized_options[key]]
+            end
+          end
+          @attribute_options[attribute] = normalized_options
+        end
+      end
+
+      # DSL method to deny an attribute
+      # @param attribute [Symbol, String] the attribute name to deny
+      def deny(attribute)
+        attribute = attribute.to_sym
+        denied_attributes << attribute unless denied_attributes.include?(attribute)
+      end
+
+      # DSL method to set a flag
+      # @param name [Symbol, String] the flag name
+      # @param value [Boolean, Object] the flag value
+      def flag(name, value = true)
+        flags[name.to_sym] = value
+      end
+
+      # DSL method to declare allowed metadata keys
+      # @param key [Symbol, String] the metadata key to allow
+      # Note: :current_user is always allowed and doesn't need to be declared
+      def metadata(*keys)
+        keys.each do |key|
+          allowed_metadata << key.to_sym
+        end
+      end
+
+      # Check if an attribute is allowed.
+      #
+      # An attribute is allowed if it's in the allowed list and not in the denied list.
+      # Uses memoization for better performance on repeated checks.
+      #
+      # @param attribute [Symbol, String] the attribute name
+      # @return [Boolean] true if allowed, false otherwise
+      def allowed?(attribute)
+        attribute = attribute.to_sym
+        return false if denied_attributes.include?(attribute)
+
+        allowed_attributes.include?(attribute)
+      end
+
+      # Check if an attribute is denied.
+      #
+      # @param attribute [Symbol, String] the attribute name
+      # @return [Boolean] true if denied, false otherwise
+      def denied?(attribute)
+        denied_attributes.include?(attribute.to_sym)
+      end
+
+      # Check if a flag is set
+      # @param name [Symbol, String] the flag name
+      # @return [Boolean, Object] the flag value
+      def flag?(name)
+        flags[name.to_sym]
+      end
+
+      # Check if a metadata key is allowed
+      # @param key [Symbol, String] the metadata key
+      # @return [Boolean] true if allowed, false otherwise
+      # Note: :current_user is always allowed
+      def metadata_allowed?(key)
+        key = key.to_sym
+        key == :current_user || allowed_metadata.include?(key)
+      end
+
+      # Get options for an attribute
+      # @param attribute [Symbol, String] the attribute name
+      # @return [Hash] the options hash
+      def attribute_options(attribute)
+        @attribute_options ||= {}
+        @attribute_options[attribute.to_sym] || {}
+      end
+
+      # Generate a permit array suitable for strong_parameters.
+      #
+      # Returns an array of permitted attributes, optionally filtered by action.
+      # Results are cached per action for better performance.
+      #
+      # @param action [Symbol, String, nil] optional action name to filter by
+      # @return [Array<Symbol, Hash>] array of permitted attributes
+      #   Returns symbols for scalar attributes, and {attr: []} for array attributes
+      # @example
+      #   permitted_attributes # => [:name, :email]
+      #   permitted_attributes(action: :create) # => [:name, :email, :published]
+      def permitted_attributes(action: nil)
+        # Use cache for performance on repeated calls
+        @permitted_cache ||= {}
+        cache_key = action || :__no_action__
+
+        return @permitted_cache[cache_key] if @permitted_cache.key?(cache_key)
+
+        attrs = allowed_attributes.dup
+
+        # Remove denied attributes
+        attrs.reject! { |attr| denied_attributes.include?(attr) }
+
+        # Filter by action-specific flags if provided
+        if action
+          action = action.to_sym
+          attrs.select! do |attr|
+            opts = attribute_options(attr)
+            if opts[:only]
+              Array(opts[:only]).include?(action)
+            elsif opts[:except]
+              !Array(opts[:except]).include?(action)
+            else
+              true
+            end
+          end
+        end
+
+        # Convert to proper permit format
+        # For array attributes, return {attr: []}, otherwise just the symbol
+        result = attrs.map do |attr|
+          opts = attribute_options(attr)
+          if opts[:array]
+            { attr => [] }
+          else
+            attr
+          end
+        end.freeze
+
+        @permitted_cache[cache_key] = result
+      end
+
+      # Inherit attributes from parent class.
+      #
+      # When a subclass is created, it inherits all configuration from the parent
+      # including allowed/denied attributes, flags, metadata, and options. This
+      # enables building specialized params classes on top of base ones.
+      #
+      # @param subclass [Class] the inheriting subclass
+      # @return [void]
+      def inherited(subclass)
+        super
+        # Copy parent's configuration to subclass
+        subclass.instance_variable_set(:@allowed_attributes, allowed_attributes.dup)
+        subclass.instance_variable_set(:@denied_attributes, denied_attributes.dup)
+        subclass.instance_variable_set(:@flags, flags.dup)
+        subclass.instance_variable_set(:@allowed_metadata, allowed_metadata.dup)
+        if instance_variable_defined?(:@attribute_options)
+          subclass.instance_variable_set(:@attribute_options, @attribute_options.dup)
+        end
+        # Don't copy the cache - let subclass build its own
+      end
+    end
+  end
+end