forme 1.8.0 → 1.12.0

data/lib/forme/transformers/inputs_wrapper.rb

@@ -10,7 +10,7 @@ module Forme
     # Wrap the inputs in a <fieldset>.  If the :legend
     # option is given, add a <legend> tag as the first
     # child of the fieldset.
-    def call(form, opts)
+    def call(form, opts, &block)
       attr = opts[:attr] ? opts[:attr].dup : {}
       Forme.attr_classes(attr, 'inputs')
       if legend = opts[:legend]
@@ -19,7 +19,7 @@ module Forme
           yield
         end
       else
-        form.tag(:fieldset, attr, &Proc.new)
+        form.tag(:fieldset, attr, &block)
       end
     end
   end

data/lib/forme/transformers/labeler.rb

@@ -77,4 +77,23 @@ module Forme
       t
     end
   end
+
+  class Labeler::Span
+    Forme.register_transformer(:labeler, :span, new)
+
+    def call(tag, input)
+      label_attr = input.opts[:label_attr]
+      label_attr = label_attr ? label_attr.dup : {}
+      Forme.attr_classes(label_attr, "label")
+      [input.tag(:span, label_attr, input.opts[:label]), tag]
+    end
+  end
+
+  class Labeler::Legend
+    Forme.register_transformer(:labeler, :legend, new)
+
+    def call(tag, input)
+      [input.tag(:legend, input.opts[:label_attr], input.opts[:label]), tag]
+    end
+  end
 end

data/lib/forme/transformers/serializer.rb

@@ -8,12 +8,6 @@ module Forme
   class Serializer
     Forme.register_transformer(:serializer, :default, new)
 
-    # Borrowed from Rack::Utils, map of single character strings to html escaped versions.
-    ESCAPE_HTML = {"&" => "&amp;", "<" => "&lt;", ">" => "&gt;", "'" => "&#39;", '"' => "&quot;"}
-
-    # A regexp that matches all html characters requiring escaping.
-    ESCAPE_HTML_PATTERN = Regexp.union(*ESCAPE_HTML.keys)
-
     # Which tags are self closing (such tags ignore children).
     SELF_CLOSING = [:img, :input]
 
@@ -43,7 +37,7 @@ module Forme
       when Raw
         tag.to_s
       else
-        h tag
+        Forme.h(tag)
       end
     end
 
@@ -69,11 +63,6 @@ module Forme
       time.is_a?(Time) ? (time.strftime('%Y-%m-%dT%H:%M:%S') + sprintf(".%03d", time.usec)) : (time.strftime('%Y-%m-%dT%H:%M:%S.') + time.strftime('%N')[0...3])
     end
 
-    # Escape ampersands, brackets and quotes to their HTML/XML entities.
-    def h(string)
-      string.to_s.gsub(ESCAPE_HTML_PATTERN){|c| ESCAPE_HTML[c] }
-    end
-
     # Join attribute values that are arrays with spaces instead of an empty
     # string.
     def attr_value(v)

data/lib/forme/transformers/wrapper.rb

@@ -23,7 +23,7 @@ module Forme
       input.tag(@type, input.opts[:wrapper_attr], super)
     end
 
-    [:li, :p, :div, :span, :td].each do |x|
+    [:li, :p, :div, :span, :td, :fieldset].each do |x|
       Forme.register_transformer(:wrapper, x, new(x))
     end
   end

data/lib/forme/version.rb

@@ -6,7 +6,7 @@ module Forme
   MAJOR = 1
 
   # The minor version of Forme, updated for new feature releases of Forme.
-  MINOR = 8
+  MINOR = 12
 
   # The patch version of Forme, updated only for bug fixes from the last
   # feature release.

data/lib/forme.rb

@@ -8,6 +8,33 @@ module Forme
   class Error < StandardError
   end
 
+  begin
+    require 'cgi/escape'
+  # :nocov:
+    unless CGI.respond_to?(:escapeHTML) # work around for JRuby 9.1
+      CGI = Object.new
+      CGI.extend(defined?(::CGI::Escape) ? ::CGI::Escape : ::CGI::Util)
+    end
+    def self.h(value)
+      CGI.escapeHTML(value.to_s)
+    end
+  rescue LoadError
+    ESCAPE_TABLE = {'&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#39;'}.freeze
+    ESCAPE_TABLE.each_value(&:freeze)
+    if RUBY_VERSION >= '1.9'
+      # Escape the following characters with their HTML/XML
+      # equivalents.
+      def self.h(value)
+        value.to_s.gsub(/[&<>"']/, ESCAPE_TABLE)
+      end
+    else
+      def self.h(value)
+        value.to_s.gsub(/[&<>"']/){|s| ESCAPE_TABLE[s]}
+      end
+    end
+  end
+  # :nocov:
+
   @default_add_blank_prompt = nil
   @default_config = :default
   class << self

data/lib/roda/plugins/forme_route_csrf.rb

@@ -45,12 +45,26 @@ class Roda
               csrf_token
             end
 
+            options[:csrf] = [csrf_field, token]
             options[:hidden_tags] ||= []
             options[:hidden_tags] += [{csrf_field=>token}]
           end
 
           options[:output] = @_out_buf if block
-          ::Forme::ERB::Form.form(obj, attr, opts, &block)
+          _forme_form_options(options)
+          _forme_form_class.form(obj, attr, opts, &block)
+        end
+
+        private
+
+        # The class to use for forms
+        def _forme_form_class
+          ::Forme::ERB::Form
+        end
+
+        # The options to use for forms.  Any changes should mutate this hash to set options.
+        def _forme_form_options(options)
+          options
         end
       end
     end

data/lib/roda/plugins/forme_set.rb

@@ -0,0 +1,214 @@
+# frozen-string-literal: true
+
+require 'rack/utils'
+require 'forme/erb_form'
+
+class Roda
+  module RodaPlugins
+    module FormeSet
+      # Require the forme_route_csrf plugin.
+      def self.load_dependencies(app, _ = nil)
+        app.plugin :forme_route_csrf 
+      end
+
+      # Set the HMAC secret.
+      def self.configure(app, opts = OPTS, &block)
+        app.opts[:forme_set_hmac_secret] = opts[:secret] || app.opts[:forme_set_hmac_secret]
+
+        if block
+          app.send(:define_method, :_forme_set_handle_error, &block)
+          app.send(:private, :_forme_set_handle_error)
+        end
+      end
+
+      # Error class raised for invalid form submissions.
+      class Error < StandardError
+      end
+
+      # Map of error types to error messages
+      ERROR_MESSAGES = {
+        :missing_data=>"_forme_set_data parameter not submitted",
+        :missing_hmac=>"_forme_set_data_hmac parameter not submitted",
+        :hmac_mismatch=>"_forme_set_data_hmac does not match _forme_set_data",
+        :csrf_mismatch=>"_forme_set_data CSRF token does not match submitted CSRF token",
+        :missing_namespace=>"no content in expected namespace"
+      }.freeze
+
+      # Forme::Form subclass that adds hidden fields with metadata that can be used
+      # to automatically process form submissions.
+      class Form < ::Forme::ERB::Form
+        def initialize(obj, opts=nil)
+          super
+          @forme_namespaces = @opts[:namespace]
+        end
+
+        # Try adding hidden fields to all forms
+        def form(*)
+          if block_given?
+            super do |f|
+              yield f
+              hmac_hidden_fields
+            end
+          else
+            t = super
+            if tags = hmac_hidden_fields
+              tags.each{|tag| t << tag}
+            end
+            t
+          end
+        end
+
+        private
+
+        # Add hidden fields with metadata, if the form has an object associated that
+        # supports the forme_inputs method, and it includes inputs.
+        def hmac_hidden_fields
+          if (obj = @opts[:obj]) && obj.respond_to?(:forme_inputs) && (forme_inputs = obj.forme_inputs)
+            columns = []
+            valid_values = {}
+
+            forme_inputs.each do |field, input|
+              next unless col = obj.send(:forme_column_for_input, input)
+              col = col.to_s
+              columns << col
+
+              next unless validation = obj.send(:forme_validation_for_input, field, input)
+              validation[0] = validation[0].to_s
+              has_nil = false
+              validation[1] = validation[1].map do |v|
+                has_nil ||= v.nil?
+                v.to_s
+              end
+              validation[1] << nil if has_nil
+              valid_values[col] = validation
+            end
+
+            return if columns.empty?
+
+            data = {}
+            data['columns'] = columns
+            data['namespaces'] = @forme_namespaces
+            data['csrf'] = @opts[:csrf]
+            data['valid_values'] = valid_values unless valid_values.empty?
+            data['form_version'] = @opts[:form_version] if @opts[:form_version]
+
+            data = data.to_json
+            tags = []
+            tags << tag(:input, :type=>:hidden, :name=>:_forme_set_data, :value=>data)
+            tags << tag(:input, :type=>:hidden, :name=>:_forme_set_data_hmac, :value=>OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA512.new, @opts[:roda].class.opts[:forme_set_hmac_secret], data))
+            tags.each{|tag| emit(tag)}
+            tags
+          end
+        end
+      end
+
+      module InstanceMethods
+        # Return hash based on submitted parameters, with :values key
+        # being submitted values for the object, and :validations key
+        # being a hash of validation metadata for the object.
+        def forme_parse(obj)
+          h = _forme_parse(obj)
+          
+          params = h.delete(:params)
+          columns = h.delete(:columns)
+          h[:validations] ||= {}
+
+          values = h[:values] = {}
+          columns.each do |col|
+            values[col.to_sym] = params[col]
+          end
+
+          h
+        end
+
+        # Set fields on the object based on submitted parameters, as
+        # well as validations for associated object values.
+        def forme_set(obj)
+          h = _forme_parse(obj)
+
+          obj.set_fields(h[:params], h[:columns])
+
+          if h[:validations]
+            obj.forme_validations.merge!(h[:validations])
+          end
+
+          if block_given?
+            yield h[:form_version], obj
+          end
+
+          obj
+        end
+
+        private
+
+        # Raise error with message based on type
+        def _forme_set_handle_error(type, _obj)
+        end
+
+        # Raise error with message based on type
+        def _forme_parse_error(type, obj)
+          _forme_set_handle_error(type, obj)
+          raise Error, ERROR_MESSAGES[type]
+        end
+
+        # Use form class that adds hidden fields for metadata.
+        def _forme_form_class
+          Form
+        end
+
+        # Include a reference to the current scope to the form.  This reference is needed
+        # to correctly construct the HMAC.
+        def _forme_form_options(options)
+          options.merge!(:roda=>self)
+        end
+
+        # Internals of forme_parse_hmac and forme_set_hmac.
+        def _forme_parse(obj)
+          params = request.params
+          return _forme_parse_error(:missing_data, obj) unless data = params['_forme_set_data']
+          return _forme_parse_error(:missing_hmac, obj) unless hmac = params['_forme_set_data_hmac']
+
+          data = data.to_s
+          hmac = hmac.to_s
+          actual = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA512.new, self.class.opts[:forme_set_hmac_secret], data)
+          unless Rack::Utils.secure_compare(hmac.ljust(64), actual) && hmac.length == actual.length
+            return _forme_parse_error(:hmac_mismatch, obj)
+          end
+
+          data = JSON.parse(data)
+          csrf_field, hmac_csrf_value = data['csrf']
+          if csrf_field
+            csrf_value = params[csrf_field].to_s
+            hmac_csrf_value = hmac_csrf_value.to_s
+            unless Rack::Utils.secure_compare(csrf_value.ljust(hmac_csrf_value.length), hmac_csrf_value) && csrf_value.length == hmac_csrf_value.length
+              return _forme_parse_error(:csrf_mismatch, obj)
+            end
+          end
+
+          namespaces = data['namespaces']
+          namespaces.each do |key|
+            return _forme_parse_error(:missing_namespace, obj) unless params = params[key]
+          end
+
+          if valid_values = data['valid_values']
+            validations = {}
+            valid_values.each do |col, (type, values)|
+              value = params[col]
+              valid = if type == "subset"
+                !value || (value - values).empty?
+              else # type == "include"
+                values.include?(value)
+              end
+
+              validations[col.to_sym] = [:valid, valid]
+            end
+          end
+
+          {:params=>params, :columns=>data["columns"], :validations=>validations, :form_version=>data['form_version']}
+        end
+      end
+    end
+
+    register_plugin(:forme_set, FormeSet)
+  end
+end

data/lib/sequel/plugins/forme.rb

@@ -192,6 +192,7 @@ module Sequel # :nodoc:
 
         # Set the error option correctly if the field contains errors
         def handle_errors(f)
+          return if opts.has_key?(:error)
           if e = obj.errors.on(f)
             opts[:error] = e.join(', ')
           end
@@ -207,6 +208,7 @@ module Sequel # :nodoc:
         # Update the attributes and options for any recognized validations
         def handle_validations(f)
           m = obj.model
+
           if m.respond_to?(:validation_reflections) and (vs = m.validation_reflections[f])
             attr = opts[:attr]
             vs.each do |type, options|
@@ -218,7 +220,7 @@ module Sequel # :nodoc:
                 attr[:title] = options[:title] unless attr.has_key?(:title)
               when :length
                 unless attr.has_key?(:maxlength)
-                  if max =(options[:maximum] || options[:is])
+                  if max = (options[:maximum] || options[:is])
                     attr[:maxlength] = max
                   elsif (w = options[:within]) && w.is_a?(Range)
                     attr[:maxlength] = if w.exclude_end? && w.end.is_a?(Integer)
@@ -345,7 +347,7 @@ module Sequel # :nodoc:
 
         # Delegate to the +form+.
         def humanize(s)
-          form.humanize(s)
+          form.respond_to?(:humanize) ? form.humanize(s) : s.to_s.gsub(/_id$/, "").gsub(/_/, " ").capitalize
         end
 
         # If the column allows +NULL+ values, use a three-valued select
@@ -442,6 +444,9 @@ module Sequel # :nodoc:
         # is overridden.
         def standard_input(type)
           type = opts.delete(:type) || type
+          if type.to_s =~ /\A(text|textarea|password|email|tel|url)\z/ && !opts[:attr].has_key?(:maxlength) && (sch = obj.db_schema[field]) && (max_length = sch[:max_length])
+            opts[:attr][:maxlength] = max_length
+          end
           opts[:value] = obj.send(field) unless opts.has_key?(:value)
           _input(type, opts)
         end
@@ -466,10 +471,10 @@ module Sequel # :nodoc:
         include SequelForm
       end
 
-      module InstanceMethods
-        MUTEX = Mutex.new
-        FORM_CLASSES = {::Forme::Form=>Form}
+      MUTEX = Mutex.new
+      FORM_CLASSES = {::Forme::Form=>Form}
 
+      module InstanceMethods
         # Configure the +form+ with support for <tt>Sequel::Model</tt>
         # specific code, such as support for nested attributes.
         def forme_config(form)

data/lib/sequel/plugins/forme_set.rb

@@ -3,7 +3,7 @@
 module Sequel # :nodoc:
   module Plugins # :nodoc:
     # The forme_set plugin makes the model instance keep track of which form
-    # inputs have been added for it. It adds a forme_set method to handle
+    # inputs have been added for it. It adds a <tt>forme_set(params['model_name'])</tt> method to handle
     # the intake of submitted data from the form.  For more complete control,
     # it also adds a forme_parse method that returns a hash of information that can be
     # used to modify and validate the object.
@@ -18,6 +18,7 @@ module Sequel # :nodoc:
       module InstanceMethods
         # Hash with column name symbol keys and Forme::SequelInput values
         def forme_inputs
+          return (@forme_inputs || {}) if frozen?
           @forme_inputs ||= {}
         end
 
@@ -25,12 +26,13 @@ module Sequel # :nodoc:
         # is a boolean flag, if true, the uploaded values should be a subset of the allowed values,
         # otherwise, there should be a single uploaded value that is a member of the allowed values.
         def forme_validations
+          return (@forme_validations || {}) if frozen?
           @forme_validations ||= {}
         end
 
         # Keep track of the inputs used.
         def forme_input(_form, field, _opts)
-          forme_inputs[field] = super
+          frozen? ? super : (forme_inputs[field] = super)
         end
 
         # Given the hash of submitted parameters, return a hash containing information on how to
@@ -47,34 +49,11 @@ module Sequel # :nodoc:
           validations = hash[:validations] = {}
 
           forme_inputs.each do |field, input|
-            opts = input.opts
-            next if SKIP_FORMATTERS.include?(opts.fetch(:formatter){input.form.opts[:formatter]})
-
-            if attr = opts[:attr]
-              name = attr[:name] || attr['name']
-            end
-            name ||= opts[:name] || opts[:key] || next
-
-            # Pull out last component of the name if there is one
-            column = (name =~ /\[([^\[\]]+)\]\z/ ? $1 : name)
-            column = column.to_s.sub(/\[\]\z/, '').to_sym
-
+            next unless column = forme_column_for_input(input)
             hash_values[column] = params[column] || params[column.to_s]
 
-            next unless ref = model.association_reflection(field)
-            next unless options = opts[:options]
-
-            values = if opts[:text_method]
-              value_method = opts[:value_method] || opts[:text_method]
-              options.map(&value_method)
-            else
-              options.map{|obj| obj.is_a?(Array) ? obj.last : obj}
-            end
-
-            if ref[:type] == :many_to_one && !opts[:required]
-              values << nil
-            end
-            validations[column] = [ref[:type] != :many_to_one ? :subset : :include, values]
+            next unless validation = forme_validation_for_input(field, input)
+            validations[column] = validation
           end
 
           hash
@@ -88,6 +67,7 @@ module Sequel # :nodoc:
           unless hash[:validations].empty?
             forme_validations.merge!(hash[:validations])
           end
+          nil
         end
 
         # Check associated values to ensure they match one of options in the form.
@@ -105,6 +85,8 @@ module Sequel # :nodoc:
                 !value || (value - values).empty?
               when :include
                 values.include?(value)
+              when :valid
+                values
               else
                 raise Forme::Error, "invalid type used in forme_validations"
               end
@@ -115,6 +97,46 @@ module Sequel # :nodoc:
             end
           end
         end
+
+        private
+
+        # Return the model column name to use for the given form input.
+        def forme_column_for_input(input)
+          opts = input.opts
+          return if SKIP_FORMATTERS.include?(opts.fetch(:formatter){input.form_opts[:formatter]})
+
+          if attr = opts[:attr]
+            name = attr[:name] || attr['name']
+          end
+          return unless name ||= opts[:name] || opts[:key]
+
+          # Pull out last component of the name if there is one
+          column = name.to_s.chomp('[]')
+          if column =~ /\[([^\[\]]+)\]\z/
+            $1
+          else
+            column
+          end.to_sym
+        end
+
+        # Return the validation metadata to use for the given field name and form input.
+        def forme_validation_for_input(field, input)
+          return unless ref = model.association_reflection(field)
+          opts = input.opts
+          return unless options = opts[:options]
+
+          values = if opts[:text_method]
+            value_method = opts[:value_method] || opts[:text_method]
+            options.map(&value_method)
+          else
+            options.map{|obj| obj.is_a?(Array) ? obj.last : obj}
+          end
+
+          if ref[:type] == :many_to_one && !opts[:required]
+            values << nil
+          end
+          [ref[:type] != :many_to_one ? :subset : :include, values]
+        end
       end
     end
   end