lotus-controller 0.4.3 → 0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0b4c85e67bcae87918653c05af57ec2961d41900
-  data.tar.gz: e2fb00ab919ee2fbfda7de1785bd9ff38e75df9b
+  metadata.gz: b692a62b7c7775da832e5f7367ef67c50a279e1f
+  data.tar.gz: f24b0ee003fb32a6f063d2e243c1e6eed2c68e83
 SHA512:
-  metadata.gz: 18b96f037a068a7a653579991b853c586eb2b39687bde6236832c03973007adfb8f4c33966cd69511f7b498e52ee0b0f6ce5e7715c0de8ce9d4d30729cec0553
-  data.tar.gz: 18753964833666f3cca7a8091bb35425960a18fce40ce0c876c705ac57797a4ae46d360e591b4475e369047aea688a00d93adacdfb616fa2cbf165f6d5c0fe61
+  metadata.gz: 381a491ce463d8051437e9f186b0181141a135d2eed5d259b0ba54f7abb1cb9f28672ebe7e71553ba553be5ce40982955a60699c38f4510ae07376a99c189eb9
+  data.tar.gz: 4d23ef2177b9dac081083d51c1bdf2a01b6b6620a752167612e4b7e20bcbb59200592c18d46d981892298d5c7a776590b92d0840b78a8301eb92a56e95d21614

data/CHANGELOG.md

@@ -1,6 +1,13 @@
 # Lotus::Controller
 Complete, fast and testable actions for Rack
 
+## v0.4.4 - 2015-06-23
+### Added
+- [Luca Guidi] Security protection against Cross Site Request Forgery (CSRF).
+
+### Fixed
+- [Matthew Bellantoni] Ensure nested params to be correctly coerced to Hash.
+
 ## v0.4.3 - 2015-05-22
 ### Added
 - [Alfonso Uceda Pompa & Luca Guidi] Introduced `Lotus::Action#send_file`

data/lib/lotus/action/params.rb

@@ -26,6 +26,20 @@ module Lotus
       # @since 0.1.0
       ROUTER_PARAMS = 'router.params'.freeze
 
+      # CSRF params key
+      #
+      # This key is shared with <tt>lotusrb</tt> and <tt>lotus-helpers</tt>
+      #
+      # @since 0.4.4
+      # @api private
+      CSRF_TOKEN = '_csrf_token'.freeze
+
+      # Set of params that are never filtered
+      #
+      # @since 0.4.4
+      # @api private
+      DEFAULT_PARAMS = Hash[CSRF_TOKEN => true].freeze
+
       # Separator for #get
       #
       # @since 0.4.0
@@ -105,7 +119,11 @@ module Lotus
       # @since 0.3.2
       # @api private
       def self.build_validation_class(&block)
-        kls = Class.new(Params)
+        kls = Class.new(Params) do
+          def lotus_nested_attributes?
+            true
+          end
+        end
         kls.class_eval(&block)
         kls
       end
@@ -201,6 +219,18 @@ module Lotus
       end
       alias_method :to_hash, :to_h
 
+      # Assign CSRF Token.
+      # This method is here for compatibility with <tt>Lotus::Validations</tt>.
+      #
+      # NOTE: When we will not support indifferent access anymore, we can probably
+      # remove this method.
+      #
+      # @since 0.4.4
+      # @api private
+      def _csrf_token=(value)
+        @attributes.set(CSRF_TOKEN, value)
+      end
+
       private
       # @since 0.3.1
       # @api private
@@ -236,12 +266,20 @@ module Lotus
       def _whitelisted_params
         {}.tap do |result|
           _raw.to_h.each do |k, v|
-            next unless self.class.defined_attributes.include?(k.to_s)
+            next unless assign_attribute?(k)
 
             result[k] = v
           end
         end
       end
+
+      # Override <tt>Lotus::Validations</tt> method
+      #
+      # @since 0.4.4
+      # @api private
+      def assign_attribute?(key)
+        DEFAULT_PARAMS[key.to_s] || super
+      end
     end
   end
 end

data/lib/lotus/action/rack.rb

@@ -255,7 +255,15 @@ module Lotus
       #
       # @since 0.3.2
       def head?
-        @_env[REQUEST_METHOD] == HEAD
+        request_method == HEAD
+      end
+
+      # NOTE: <tt>Lotus::Action::CSRFProtection</tt> (<tt>lotusrb</tt> gem) depends on this.
+      #
+      # @api private
+      # @since 0.4.4
+      def request_method
+        @_env[REQUEST_METHOD]
       end
     end
   end

data/lib/lotus/action/session.rb

@@ -20,6 +20,16 @@ module Lotus
       # @api private
       ERRORS_KEY  = :__errors
 
+      # Add session to default exposures
+      #
+      # @since 0.4.4
+      # @api private
+      def self.included(action)
+        action.class_eval do
+          expose :session
+        end
+      end
+
       protected
 
       # Gets the session from the request and expose it as an Hash.

data/lib/lotus/controller/version.rb

@@ -3,6 +3,6 @@ module Lotus
     # Defines the version
     #
     # @since 0.1.0
-    VERSION = '0.4.3'.freeze
+    VERSION = '0.4.4'.freeze
   end
 end

data/lotus-controller.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.0.0'
 
   spec.add_dependency 'rack',              '~> 1.5'
-  spec.add_dependency 'lotus-utils',       '~> 0.4', '>= 0.4.2'
+  spec.add_dependency 'lotus-utils',       '~> 0.5'
   spec.add_dependency 'lotus-validations', '~> 0.3'
 
   spec.add_development_dependency 'bundler',   '~> 1.6'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lotus-controller
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.4.4
 platform: ruby
 authors:
 - Luca Guidi
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-22 00:00:00.000000000 Z
+date: 2015-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -31,20 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: '0.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: '0.5'
 - !ruby/object:Gem::Dependency
   name: lotus-validations
   requirement: !ruby/object:Gem::Requirement
@@ -177,7 +171,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Complete, fast and testable actions for Rack and Lotus