mass_assignment_backport 0.1.0

data/README.markdown

@@ -0,0 +1,33 @@
+# MassAssignmentBackport
+
+This is a simple mass-assignment security module loosely based on
+[ActiveModel::MassAssignmentSecurity][1]. It attempts to steal the good ideas
+and some of the API while being compatible with Rails 2.3-based applications.
+
+Only attr_accessible is implemented, because attr_protected is just a bad
+ActiveRecord API that hung around for some reason, and we don't want it
+stinking up the place.
+
+# Rationale
+
+There are two things I've never liked about ActiveRecord's attr_* API:
+
+It's model-level when the resources I am trying to protect are controller-level.
+This actually gets in our way when we're just trying to test/manipulate our own
+models outside of a controller context, making it harder to work with
+our own data for no good reason. I feel this phenomenon could have the effect of
+discouraging developers from using it.
+
+Another problem with ActiveRecord is that is provides attr_protected.
+Blacklisting instead of whitelisting is just a bad idea, and I see no reason
+to allow/support it when security is the primary goal.
+
+This small package attempts to address both of those issues with a module that
+borrows/steals the excellent ActiveModel API for the same purpose.
+
+# Author
+
+Zack Hobson (zack@zackhobson.com)
+
+[1]: http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity.html
+

data/Rakefile

@@ -0,0 +1,3 @@
+task :test do
+  sh 'ruby -Ilib test/*_test.rb'
+end

data/lib/mass_assignment_backport.rb

@@ -0,0 +1,36 @@
+module MassAssignmentBackport
+  VERSION = "0.1.0"
+
+  def self.included(mod)
+    mod.extend ClassMethods
+  end
+
+  module ClassMethods
+    attr_accessor :_accessible_attributes
+
+    def attr_accessible *args
+      options = args.last.kind_of?(Hash) ? args.pop : {}
+      role = options[:as] || :default
+      self._accessible_attributes ||= {}
+      [role].flatten.each do |name|
+        self._accessible_attributes[name] = accessible_attributes(name) + args
+      end
+    end
+
+    def accessible_attributes role=:default
+      _accessible_attributes[role] || []
+    end
+  end
+
+  def sanitize_for_mass_assignment values, role=:default
+    {}.tap do |result|
+      values.each do |k, v|
+        if self.class._accessible_attributes[role].include?(k.to_sym)
+          yield k, v if block_given?
+          result[k] = v
+        end
+      end
+    end
+  end
+end
+

data/mass_assignment_backport.gemspec

@@ -0,0 +1,16 @@
+$:.unshift File.expand_path("./lib")
+require 'mass_assignment_backport'
+
+Gem::Specification.new do |s|
+  s.name = "mass_assignment_backport"
+  s.version = MassAssignmentBackport::VERSION
+  s.summary = 'Simple API for sanitizing hashes by input key'
+  s.description = <<-EOD
+    This is a simple mass-assignment security module loosely based on
+    ActiveModel::MassAssignmentSecurity. It attempts to steal the good ideas
+    and some of the API while being compatible with Rails 2.3-based applications.
+  EOD
+  s.authors = ['Zack Hobson']
+  s.files = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- test/*`.split("\n")
+end

data/test/mass_assignment_test.rb

@@ -0,0 +1,30 @@
+require 'mass_assignment_backport'
+require 'minitest/autorun'
+
+class MassAssignmentTest < MiniTest::Unit::TestCase
+
+  class AccessibleTaco
+    include MassAssignmentBackport
+    attr_accessible :topping
+    attr_accessible :price, :topping, as: :manager
+  end
+
+  def test_accessible_default
+    t = AccessibleTaco.new
+    params = { topping: 'salsa', price: 123, extra: 'foo' }
+    default = t.sanitize_for_mass_assignment params
+    assert default.has_key?(:topping), "default gets accessible key"
+    assert !default.has_key?(:price),  "default does not get inaccessible key"
+    assert !default.has_key?(:extra),  "default does not get extra key"
+  end
+
+  def test_accessible_role
+    t = AccessibleTaco.new
+    params = { topping: 'salsa', price: 123, extra: 'foo' }
+    manager = t.sanitize_for_mass_assignment params, :manager
+    assert manager.has_key?(:topping), "role gets accessible key"
+    assert manager.has_key?(:price),   "role gets second accessible key"
+    assert !manager.has_key?(:extra),  "role does not get extra key"
+  end
+
+end

metadata

@@ -0,0 +1,52 @@
+--- !ruby/object:Gem::Specification
+name: mass_assignment_backport
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Zack Hobson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-03-06 00:00:00.000000000Z
+dependencies: []
+description: ! "    This is a simple mass-assignment security module loosely based
+  on\n    ActiveModel::MassAssignmentSecurity. It attempts to steal the good ideas\n
+  \   and some of the API while being compatible with Rails 2.3-based applications.\n"
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.markdown
+- Rakefile
+- lib/mass_assignment_backport.rb
+- mass_assignment_backport.gemspec
+- test/mass_assignment_test.rb
+homepage: 
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Simple API for sanitizing hashes by input key
+test_files:
+- test/mass_assignment_test.rb