mass_assignment_backport 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.markdown +33 -0
- data/Rakefile +3 -0
- data/lib/mass_assignment_backport.rb +36 -0
- data/mass_assignment_backport.gemspec +16 -0
- data/test/mass_assignment_test.rb +30 -0
- metadata +52 -0
data/README.markdown
ADDED
@@ -0,0 +1,33 @@
|
|
1
|
+
# MassAssignmentBackport
|
2
|
+
|
3
|
+
This is a simple mass-assignment security module loosely based on
|
4
|
+
[ActiveModel::MassAssignmentSecurity][1]. It attempts to steal the good ideas
|
5
|
+
and some of the API while being compatible with Rails 2.3-based applications.
|
6
|
+
|
7
|
+
Only attr_accessible is implemented, because attr_protected is just a bad
|
8
|
+
ActiveRecord API that hung around for some reason, and we don't want it
|
9
|
+
stinking up the place.
|
10
|
+
|
11
|
+
# Rationale
|
12
|
+
|
13
|
+
There are two things I've never liked about ActiveRecord's attr_* API:
|
14
|
+
|
15
|
+
It's model-level when the resources I am trying to protect are controller-level.
|
16
|
+
This actually gets in our way when we're just trying to test/manipulate our own
|
17
|
+
models outside of a controller context, making it harder to work with
|
18
|
+
our own data for no good reason. I feel this phenomenon could have the effect of
|
19
|
+
discouraging developers from using it.
|
20
|
+
|
21
|
+
Another problem with ActiveRecord is that is provides attr_protected.
|
22
|
+
Blacklisting instead of whitelisting is just a bad idea, and I see no reason
|
23
|
+
to allow/support it when security is the primary goal.
|
24
|
+
|
25
|
+
This small package attempts to address both of those issues with a module that
|
26
|
+
borrows/steals the excellent ActiveModel API for the same purpose.
|
27
|
+
|
28
|
+
# Author
|
29
|
+
|
30
|
+
Zack Hobson (zack@zackhobson.com)
|
31
|
+
|
32
|
+
[1]: http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity.html
|
33
|
+
|
data/Rakefile
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
module MassAssignmentBackport
|
2
|
+
VERSION = "0.1.0"
|
3
|
+
|
4
|
+
def self.included(mod)
|
5
|
+
mod.extend ClassMethods
|
6
|
+
end
|
7
|
+
|
8
|
+
module ClassMethods
|
9
|
+
attr_accessor :_accessible_attributes
|
10
|
+
|
11
|
+
def attr_accessible *args
|
12
|
+
options = args.last.kind_of?(Hash) ? args.pop : {}
|
13
|
+
role = options[:as] || :default
|
14
|
+
self._accessible_attributes ||= {}
|
15
|
+
[role].flatten.each do |name|
|
16
|
+
self._accessible_attributes[name] = accessible_attributes(name) + args
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
def accessible_attributes role=:default
|
21
|
+
_accessible_attributes[role] || []
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
def sanitize_for_mass_assignment values, role=:default
|
26
|
+
{}.tap do |result|
|
27
|
+
values.each do |k, v|
|
28
|
+
if self.class._accessible_attributes[role].include?(k.to_sym)
|
29
|
+
yield k, v if block_given?
|
30
|
+
result[k] = v
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
@@ -0,0 +1,16 @@
|
|
1
|
+
$:.unshift File.expand_path("./lib")
|
2
|
+
require 'mass_assignment_backport'
|
3
|
+
|
4
|
+
Gem::Specification.new do |s|
|
5
|
+
s.name = "mass_assignment_backport"
|
6
|
+
s.version = MassAssignmentBackport::VERSION
|
7
|
+
s.summary = 'Simple API for sanitizing hashes by input key'
|
8
|
+
s.description = <<-EOD
|
9
|
+
This is a simple mass-assignment security module loosely based on
|
10
|
+
ActiveModel::MassAssignmentSecurity. It attempts to steal the good ideas
|
11
|
+
and some of the API while being compatible with Rails 2.3-based applications.
|
12
|
+
EOD
|
13
|
+
s.authors = ['Zack Hobson']
|
14
|
+
s.files = `git ls-files`.split("\n")
|
15
|
+
s.test_files = `git ls-files -- test/*`.split("\n")
|
16
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'mass_assignment_backport'
|
2
|
+
require 'minitest/autorun'
|
3
|
+
|
4
|
+
class MassAssignmentTest < MiniTest::Unit::TestCase
|
5
|
+
|
6
|
+
class AccessibleTaco
|
7
|
+
include MassAssignmentBackport
|
8
|
+
attr_accessible :topping
|
9
|
+
attr_accessible :price, :topping, as: :manager
|
10
|
+
end
|
11
|
+
|
12
|
+
def test_accessible_default
|
13
|
+
t = AccessibleTaco.new
|
14
|
+
params = { topping: 'salsa', price: 123, extra: 'foo' }
|
15
|
+
default = t.sanitize_for_mass_assignment params
|
16
|
+
assert default.has_key?(:topping), "default gets accessible key"
|
17
|
+
assert !default.has_key?(:price), "default does not get inaccessible key"
|
18
|
+
assert !default.has_key?(:extra), "default does not get extra key"
|
19
|
+
end
|
20
|
+
|
21
|
+
def test_accessible_role
|
22
|
+
t = AccessibleTaco.new
|
23
|
+
params = { topping: 'salsa', price: 123, extra: 'foo' }
|
24
|
+
manager = t.sanitize_for_mass_assignment params, :manager
|
25
|
+
assert manager.has_key?(:topping), "role gets accessible key"
|
26
|
+
assert manager.has_key?(:price), "role gets second accessible key"
|
27
|
+
assert !manager.has_key?(:extra), "role does not get extra key"
|
28
|
+
end
|
29
|
+
|
30
|
+
end
|
metadata
ADDED
@@ -0,0 +1,52 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: mass_assignment_backport
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
prerelease:
|
6
|
+
platform: ruby
|
7
|
+
authors:
|
8
|
+
- Zack Hobson
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2012-03-06 00:00:00.000000000Z
|
13
|
+
dependencies: []
|
14
|
+
description: ! " This is a simple mass-assignment security module loosely based
|
15
|
+
on\n ActiveModel::MassAssignmentSecurity. It attempts to steal the good ideas\n
|
16
|
+
\ and some of the API while being compatible with Rails 2.3-based applications.\n"
|
17
|
+
email:
|
18
|
+
executables: []
|
19
|
+
extensions: []
|
20
|
+
extra_rdoc_files: []
|
21
|
+
files:
|
22
|
+
- README.markdown
|
23
|
+
- Rakefile
|
24
|
+
- lib/mass_assignment_backport.rb
|
25
|
+
- mass_assignment_backport.gemspec
|
26
|
+
- test/mass_assignment_test.rb
|
27
|
+
homepage:
|
28
|
+
licenses: []
|
29
|
+
post_install_message:
|
30
|
+
rdoc_options: []
|
31
|
+
require_paths:
|
32
|
+
- lib
|
33
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
34
|
+
none: false
|
35
|
+
requirements:
|
36
|
+
- - ! '>='
|
37
|
+
- !ruby/object:Gem::Version
|
38
|
+
version: '0'
|
39
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
40
|
+
none: false
|
41
|
+
requirements:
|
42
|
+
- - ! '>='
|
43
|
+
- !ruby/object:Gem::Version
|
44
|
+
version: '0'
|
45
|
+
requirements: []
|
46
|
+
rubyforge_project:
|
47
|
+
rubygems_version: 1.8.10
|
48
|
+
signing_key:
|
49
|
+
specification_version: 3
|
50
|
+
summary: Simple API for sanitizing hashes by input key
|
51
|
+
test_files:
|
52
|
+
- test/mass_assignment_test.rb
|