filtered_attributes 0.1.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2011 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,75 @@
+# filtered\_attributes
+
+## Alternative way to filter mass-assignment attributes
+
+attr_protected/attr_accessible are great tools, but in practive, rarely
+used properly. I strongly believe that this is because we are trying to
+squeeze too much into model layer, while controllers layer is underused.
+Access control, authentication and authorization should be all done
+inside controllers. At least this is what my intuition says.
+
+## Instalation
+
+This gem was tested with Rails 3.1 and Ruby 1.9.3. I see no reason why
+it can't work with earlier versions - <a
+href="mailto:hubert.lepicki@amberbit.com">let me know if it works for
+you</a>. However, this library will not work with Ruby versions prior to
+1.9.
+
+### Step1: Add the gem to Gemfile:
+
+```ruby
+    gem 'filtered_attributes', '~> 0.1.0'
+```
+
+```bash
+    bundle
+```
+
+### Step2: Amend your ApplicationController (or any other controller you subclass from)
+
+```ruby
+    class ApplicationController < ActionController::Base
+      include FilteredAttributes::Filters
+      ....
+    end
+```
+### Step3: Restart your application if it was running!
+
+# Usage
+
+## Basics
+
+```ruby
+    class UsersController < ApplicationController
+      filter_attributes_for :user, allow: [:email, :password, :password_confirmation]
+      def create
+        User.create! user_attributes
+      end
+    end
+```
+
+## Advanced
+
+filter\_attributes takes parameters:
+
+- **resource_name** key in params hash where attributes for resource
+  are passed, for example ```:user``` will mean ```params[:user]``` stores
+attributes to be filtered
+- **options** (Hash), with keys
+  - **:allow** (Array) list of allowed attributes, defaults to ```[]```
+  - **:as** (Symbol) prefix of helper method, defaults to resource_name,
+    for example ```filter_attributes_for :user, as: :account```
+will seek for attributes in ```params[:user]```, but create helper method
+account_attributes in your controller
+  - **:only** (Array) - list of actions that parameters will be filtered
+    for
+  - **:except** (Array) - opposite of **only**, can't be used together
+  - **:attributes_hash** (Lambda) - pass your procedure if you want to
+    find your model attributes somewhere deeper in ```params``` hash. Params
+hash will be passed to this lambda as it's only parameter.
+
+# Legal
+Copyright 2011 Hubert Łępicki <hubert.lepicki@amberbit.com>. Released
+under the terms of MIT License (see file MIT-LICENSE in current
+directory).

data/Rakefile

@@ -0,0 +1,37 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'FilteredAttributes'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/filtered_attributes/version.rb

@@ -0,0 +1,3 @@
+module FilteredAttributes
+  VERSION = "0.1.0"
+end

data/lib/filtered_attributes.rb

@@ -0,0 +1,42 @@
+module FilteredAttributes
+  module Filters
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def filter_attributes_for(resource_name, options={})
+        default_options = {as: resource_name, allow: []}
+        options.reverse_merge! default_options
+        options[:allow] = options[:allow].map {|k| k.to_s}
+
+        define_method "#{options[:as]}_attributes" do
+          instance_variable_get "@_#{options[:as]}_attributes"
+        end
+
+        self.send :private, "#{options[:as]}_attributes".to_sym
+
+        filter_params = if options[:only]
+          { only: options[:only] }
+        elsif options[:except]
+          { except: options[:except] }
+        else
+          {}
+        end
+
+        self.send :before_filter, filter_params do
+          params_hash = if options[:attributes_hash].respond_to? :call
+            options[:attributes_hash].call params
+          else
+            params[resource_name]
+          end
+
+          if params_hash
+            instance_variable_set "@_#{options[:as]}_attributes", HashWithIndifferentAccess.new(
+              params_hash.select {|k,v| options[:allow].include?(k.to_s)}
+            )
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/tasks/filtered_attributes_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :filtered_attributes do
+#   # Task goes here
+# end

data/test/dummy/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/test/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,7 @@
+// This is a manifest file that'll be compiled into including all the files listed below.
+// Add new JavaScript/Coffee code in separate files in this directory and they'll automatically
+// be included in the compiled file accessible from http://example.com/assets/application.js
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// the compiled file.
+//
+//= require_tree .

data/test/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,7 @@
+/*
+ * This is a manifest file that'll automatically include all the stylesheets available in this directory
+ * and any sub-directories. You're free to add application-wide styles to this file and they'll appear at
+ * the top of the compiled file, but it's generally better to create a new file per style scope.
+ *= require_self
+ *= require_tree . 
+*/

data/test/dummy/app/controllers/advanced_filters_controller.rb

@@ -0,0 +1,18 @@
+class AdvancedFiltersController < ApplicationController
+  filter_attributes_for :account, allow: [:email], only: [:create]
+  filter_attributes_for :account, allow: [:admin], only: [:update]
+  filter_attributes_for :account, allow: [:email], except: [:create, :update],
+    attributes_hash: ->(params) { params[:foo][:bar][:account] }
+
+  def create
+    pass account_attributes
+  end
+
+  def update
+    pass account_attributes
+  end
+
+  def foo
+    pass account_attributes
+  end
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,12 @@
+class ApplicationController < ActionController::Base
+  include FilteredAttributes::Filters
+
+  protect_from_forgery
+
+  private
+
+  def pass(attrs)
+    Thread.current[:passed_params] = attrs
+    render text: "ok"
+  end
+end

data/test/dummy/app/controllers/basic_filters_controller.rb

@@ -0,0 +1,7 @@
+class BasicFiltersController < ApplicationController
+  filter_attributes_for :user, allow: [:email]
+
+  def create
+    pass user_attributes
+  end
+end

data/test/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/test/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Dummy</title>
+  <%= stylesheet_link_tag    "application" %>
+  <%= javascript_include_tag "application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/test/dummy/config/application.rb

@@ -0,0 +1,51 @@
+require File.expand_path('../boot', __FILE__)
+
+# Pick the frameworks you want:
+#  require "active_record/railtie"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+require "active_resource/railtie"
+# require "sprockets/railtie"
+require "rails/test_unit/railtie"
+
+Bundler.require
+require "filtered_attributes"
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Custom directories with classes and modules you want to be autoloadable.
+    # config.autoload_paths += %W(#{config.root}/extras)
+
+    # Only load the plugins named here, in the order given (default is alphabetical).
+    # :all can be used as a placeholder for all plugins not explicitly named.
+    # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
+
+    # Activate observers that should always be running.
+    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+
+    # Configure the default encoding used in templates for Ruby 1.9.
+    config.encoding = "utf-8"
+
+    # Configure sensitive parameters which will be filtered from the log file.
+    config.filter_parameters += [:password]
+
+    # Enable the asset pipeline
+    config.assets.enabled = true
+
+    # Version of your assets, change this if you want to expire all your assets
+    config.assets.version = '1.0'
+  end
+end
+

data/test/dummy/config/boot.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+gemfile = File.expand_path('../../../../Gemfile', __FILE__)
+
+if File.exist?(gemfile)
+  ENV['BUNDLE_GEMFILE'] = gemfile
+  require 'bundler'
+  Bundler.setup
+end
+
+$:.unshift File.expand_path('../../../../lib', __FILE__)

data/test/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Dummy::Application.initialize!

data/test/dummy/config/environments/development.rb

@@ -0,0 +1,30 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # In the development environment your application's code is reloaded on
+  # every request.  This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Log error messages when you accidentally call methods on nil.
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger
+  config.active_support.deprecation = :log
+
+  # Only use best-standards-support built into browsers
+  config.action_dispatch.best_standards_support = :builtin
+
+  # Do not compress assets
+  config.assets.compress = false
+
+  # Expands the lines which load the assets
+  config.assets.debug = true
+end

data/test/dummy/config/environments/production.rb

@@ -0,0 +1,60 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # Code is not reloaded between requests
+  config.cache_classes = true
+
+  # Full error reports are disabled and caching is turned on
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this)
+  config.serve_static_assets = false
+
+  # Compress JavaScripts and CSS
+  config.assets.compress = true
+
+  # Don't fallback to assets pipeline if a precompiled asset is missed
+  config.assets.compile = false
+
+  # Generate digests for assets URLs
+  config.assets.digest = true
+
+  # Defaults to Rails.root.join("public/assets")
+  # config.assets.manifest = YOUR_PATH
+
+  # Specifies the header that your server uses for sending files
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # See everything in the log (default is :info)
+  # config.log_level = :debug
+
+  # Use a different logger for distributed setups
+  # config.logger = SyslogLogger.new
+
+  # Use a different cache store in production
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
+  # config.assets.precompile += %w( search.js )
+
+  # Disable delivery errors, bad email addresses will be ignored
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable threaded mode
+  # config.threadsafe!
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation can not be found)
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners
+  config.active_support.deprecation = :notify
+end

data/test/dummy/config/environments/test.rb

@@ -0,0 +1,42 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # The test environment is used exclusively to run your application's
+  # test suite.  You never need to work with it otherwise.  Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs.  Don't rely on the data there!
+  config.cache_classes = true
+
+  # Configure static asset server for tests with Cache-Control for performance
+  config.serve_static_assets = true
+  config.static_cache_control = "public, max-age=3600"
+
+  # Log error messages when you accidentally call methods on nil
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment
+  config.action_controller.allow_forgery_protection    = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Use SQL instead of Active Record's schema dumper when creating the test database.
+  # This is necessary if your schema can't be completely dumped by the schema dumper,
+  # like if you have constraints or database-specific column types
+  # config.active_record.schema_format = :sql
+
+  # Print deprecation notices to the stderr
+  config.active_support.deprecation = :stderr
+
+  # Allow pass debug_assets=true as a query parameter to load pages with unpackaged assets
+  config.assets.allow_debugging = true
+end

data/test/dummy/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/test/dummy/config/initializers/inflections.rb

@@ -0,0 +1,10 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format
+# (all these examples are active by default):
+# ActiveSupport::Inflector.inflections do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end

data/test/dummy/config/initializers/mime_types.rb

@@ -0,0 +1,5 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf
+# Mime::Type.register_alias "text/html", :iphone

data/test/dummy/config/initializers/secret_token.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+Dummy::Application.config.secret_token = 'ae7846144bc2271121948ffd11d1c6f8047fc3de0077f71533bec97a33d5d754766f6cdc3c13620d5df2600e06a603da133705dba2aa77bc838b591011d749d1'

data/test/dummy/config/initializers/session_store.rb

@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+Dummy::Application.config.session_store :cookie_store, key: '_dummy_session'
+
+# Use the database for sessions instead of the cookie-based default,
+# which shouldn't be used to store highly confidential information
+# (create the session table with "rails generate session_migration")
+# Dummy::Application.config.session_store :active_record_store

data/test/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,10 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json]
+end
+

data/test/dummy/config/locales/en.yml

@@ -0,0 +1,5 @@
+# Sample localization file for English. Add more files in this directory for other locales.
+# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
+
+en:
+  hello: "Hello world"

data/test/dummy/config/routes.rb

@@ -0,0 +1,8 @@
+Dummy::Application.routes.draw do
+  resources :basic_filters
+  resources :advanced_filters do
+    collection do
+      post :foo
+    end
+  end
+end

data/test/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Dummy::Application