RubyGems - ledermann-rails-settings - Versions diffs - 2.0.0 → 2.0.1 - Mend

ledermann-rails-settings 2.0.0 → 2.0.1

Files changed (10) hide show

checksums.yaml +4 -4
data/Changelog.md +5 -0
data/README.md +1 -1
data/lib/rails-settings.rb +2 -2
data/lib/rails-settings/base.rb +1 -1
data/lib/rails-settings/scopes.rb +20 -24
data/lib/rails-settings/setting_object.rb +10 -0
data/lib/rails-settings/version.rb +1 -1
data/spec/setting_object_spec.rb +9 -2
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7aa1af77c8b2aba3819e77ba00790f313f143e69
-  data.tar.gz: c4d85b477105c7f86dae04d5fb5b9245506fd1a2
+  metadata.gz: acfe3a67b8daf8e9108c0ddf270e638c4310d2b1
+  data.tar.gz: ef9c5a3a455365f5817f56f5476b12d9283d2440
 SHA512:
-  metadata.gz: 883960f19b067da03bc8f54d3de59d82d8640eeeb44d31b5ada5949a552a43027f59bec7b3854e9f9bc341c10126deb3c1714c0a6b6d4a5433639a9a1f53ebdb
-  data.tar.gz: 9786e48162d45e3a07020d268dc8dd9cbab7a2d5dd2bcc290a5ac47121f27bd4d0601fe75054d009773a95bf644390546aeaaf8b8425f5735a7eb06c02cdc2cb
+  metadata.gz: 5fd20605f8b1dc5474b94402140baba09d08a5d59429269ebb37bc4bd5b63742088a24ed0c2ccbf6b7cb127c631fb5522b85636735a1a6b28f94853ed97b90e5
+  data.tar.gz: 3c4f8c5f8f5732e727cf116a341d04f09e519e8e1aa13df8b94e72f3dfd532a6155a1cfa7c4af0de44ceebce271ca4e28a1e5b129008994a992362fb14de44ea

data/Changelog.md CHANGED Viewed

@@ -1,3 +1,8 @@
+Version 2.0.1 (2013-03-08)
+- Added mass assignment security by protecting all regular attributes
 Version 2.0.0 (2013-03-07)
 - Complete rewrite

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # Settings for Rails 3
-[![Build Status](https://secure.travis-ci.org/ledermann/rails-settings.png)](http://travis-ci.org/ledermann/rails-settings)
+[![Build Status](https://travis-ci.org/ledermann/rails-settings.png?branch=master)](https://travis-ci.org/ledermann/rails-settings)
 [![Code Climate](https://codeclimate.com/github/ledermann/rails-settings.png)](https://codeclimate.com/github/ledermann/rails-settings)
 Ruby gem to handle settings for ActiveRecord objects by storing them as serialized Hash in a separate database table. Optional: Defaults and Namespaces.

data/lib/rails-settings.rb CHANGED Viewed

@@ -7,8 +7,8 @@ ActiveRecord::Base.class_eval do
   def self.has_settings(*args, &block)
     RailsSettings::Configuration.new(*args.unshift(self), &block)
-    include RailsSettings::Base   unless self.include?(RailsSettings::Base)
-    include RailsSettings::Scopes unless self.include?(RailsSettings::Scopes)
+    include RailsSettings::Base
+    extend RailsSettings::Scopes
   end
 end

data/lib/rails-settings/base.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module RailsSettings
           raise ArgumentError unless var.is_a?(Symbol)
           raise ArgumentError.new("Unknown key: #{var}") unless self.class.default_settings[var]
-          setting_objects.detect { |s| s.var == var.to_s } || setting_objects.build(:var => var.to_s)
+          setting_objects.detect { |s| s.var == var.to_s } || setting_objects.build({ :var => var.to_s }, :without_protection => true)
         end
         def settings=(value)

data/lib/rails-settings/scopes.rb CHANGED Viewed

@@ -1,33 +1,29 @@
 module RailsSettings
   module Scopes
-    def self.included(base)
-      base.class_eval do
-        scope :with_settings, lambda {
-          joins("INNER JOIN settings ON #{settings_join_condition}").
-          uniq
-        }
+    def with_settings
+      joins("INNER JOIN settings ON #{settings_join_condition}").
+      uniq
+    end
-        scope :with_settings_for, lambda { |var|
-          raise ArgumentError unless var.is_a?(Symbol)
-          joins("INNER JOIN settings ON #{settings_join_condition} AND settings.var = '#{var}'")
-        }
+    def with_settings_for(var)
+      raise ArgumentError.new('Symbol expected!') unless var.is_a?(Symbol)
+      joins("INNER JOIN settings ON #{settings_join_condition} AND settings.var = '#{var}'")
+    end
-        scope :without_settings, lambda {
-          joins("LEFT JOIN settings ON #{settings_join_condition}").
-          where('settings.id IS NULL')
-        }
+    def without_settings
+      joins("LEFT JOIN settings ON #{settings_join_condition}").
+      where('settings.id IS NULL')
+    end
-        scope :without_settings_for, lambda { |var|
-          raise ArgumentError unless var.is_a?(Symbol)
-          joins("LEFT JOIN settings ON  #{settings_join_condition} AND settings.var = '#{var}'").
-          where('settings.id IS NULL')
-        }
+    def without_settings_for(var)
+      raise ArgumentError.new('Symbol expected!') unless var.is_a?(Symbol)
+      joins("LEFT JOIN settings ON  #{settings_join_condition} AND settings.var = '#{var}'").
+      where('settings.id IS NULL')
+    end
-        def self.settings_join_condition
-          "settings.target_id   = #{table_name}.#{primary_key} AND
-           settings.target_type = '#{base_class.name}'"
-        end
-      end
+    def settings_join_condition
+      "settings.target_id   = #{table_name}.#{primary_key} AND
+       settings.target_type = '#{base_class.name}'"
     end
   end
 end

data/lib/rails-settings/setting_object.rb CHANGED Viewed

@@ -13,6 +13,10 @@ module RailsSettings
     serialize :value, Hash
+    # attr_protected can not be here used because it touches the database which is not connected yet.
+    # So allow no attributes and override <tt>#sanitize_for_mass_assignment</tt>
+    attr_accessible
     REGEX_SETTER = /\A([a-z]\w+)=\Z/i
     REGEX_GETTER = /\A([a-z]\w+)\Z/i
@@ -34,6 +38,12 @@ module RailsSettings
       end
     end
+  protected
+    # Simulate attr_protected by removing all regular attributes
+    def sanitize_for_mass_assignment(attributes, role = nil)
+      attributes.except('id', 'var', 'value', 'target_id', 'target_type', 'created_at', 'updated_at')
+    end
   private
     def _get_value(name)
       value[name] || _target_class.default_settings[var.to_sym][name]

data/lib/rails-settings/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module RailsSettings
-  VERSION = '2.0.0'
+  VERSION = '2.0.1'
 end

data/spec/setting_object_spec.rb CHANGED Viewed

@@ -2,8 +2,8 @@ require 'spec_helper'
 describe RailsSettings::SettingObject do
   let(:user) { User.create! :name => 'Mr. Pink' }
-  let(:new_setting_object) { user.setting_objects.build :var => 'dashboard' }
-  let(:saved_setting_object) { user.setting_objects.create! :var => 'dashboard', :value => { 'theme' => 'pink', 'filter' => true } }
+  let(:new_setting_object) { user.setting_objects.build({ :var => 'dashboard'}, :without_protection => true) }
+  let(:saved_setting_object) { user.setting_objects.create!({ :var => 'dashboard', :value => { 'theme' => 'pink', 'filter' => true}}, :without_protection => true) }
   describe "Getter and Setter" do
     context "on unsaved settings" do
@@ -92,6 +92,13 @@ describe RailsSettings::SettingObject do
     it 'should not save blank hash' do
       new_setting_object.update_attributes({}).should be_false
     end
+    it 'should not allow changing protected attributes' do
+      new_setting_object.update_attributes!(:var => 'calendar', :foo => 42)
+      new_setting_object.var.should eq('dashboard')
+      new_setting_object.foo.should eq(42)
+    end
   end
   describe "save" do

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ledermann-rails-settings
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Georg Ledermann
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-03-07 00:00:00.000000000 Z
+date: 2013-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord