merb-param-protection 1.1.0 → 1.1.1

data/Rakefile

@@ -1,45 +1,9 @@
 require 'rubygems'
 require 'rake'
 
-# Assume a typical dev checkout to fetch the current merb-core version
-require File.expand_path('../../merb-core/lib/merb-core/version', __FILE__)
-
 # Load this library's version information
 require File.expand_path('../lib/merb-param-protection/version', __FILE__)
 
-begin
-
-  gem 'jeweler', '~> 1.4'
-  require 'jeweler'
-
-  Jeweler::Tasks.new do |gemspec|
-
-    gemspec.version     = Merb::ParamProtection::VERSION.dup
-
-    gemspec.name        = "merb-param-protection"
-    gemspec.description = "Merb plugin that helps protecting sensible parameters"
-    gemspec.summary     = "Merb plugin that provides params_accessible and params_protected class methods"
-
-    gemspec.authors     = [ "Lance Carlson" ]
-    gemspec.email       = "lancecarlson@gmail.com"
-    gemspec.homepage    = "http://merbivore.com/"
-
-    gemspec.files       = %w(LICENSE Rakefile README TODO) + Dir['{lib,spec}/**/*']
-
-    # Runtime dependencies
-    gemspec.add_dependency 'merb-core', "~> #{Merb::VERSION}"
-
-    # Development dependencies
-    gemspec.add_development_dependency 'rspec', '>= 1.2.9'
-
-  end
-
-  Jeweler::GemcutterTasks.new
-
-rescue LoadError
-  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
-end
-
 require 'spec/rake/spectask'
 Spec::Rake::SpecTask.new(:spec) do |spec|
   spec.spec_opts << '--options' << 'spec/spec.opts' if File.exists?('spec/spec.opts')

data/lib/merb-param-protection.rb

@@ -1,37 +1,5 @@
 require "merb-core"
 
-# This plugin exposes two new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
-
-# Setup:
-# The request sets:
-# params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
-#
-# Example 1: params_accessable
-# MyController < Application
-#   params_accessible :post => [:title, :body]
-# end
-
-# params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
-
-# So we see that params_accessible removes everything except what is explictly specified.
-
-# Example 2: params_protected
-# MyOtherController < Application
-#   params_protected :post => [:status, :author_id]
-# end
-
-# params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
-
-# We also see that params_protected removes ONLY those parameters explicitly specified.
-
-
-# Merb gives you a Merb::Plugins.config hash...feel free to put your stuff in your piece of it
-#Merb::Plugins.config[:merb_param_protection] = {
-  #:chickens => false
-#}
-
-#Merb::Plugins.add_rakefiles "merb_param_protection/merbtasks"
-
 module Merb
   module ParamsFilter
     module ControllerMixin
@@ -49,30 +17,66 @@ module Merb
       end
 
       module ClassMethods
+        
         # Ensures these parameters are sent for the object
         #
-        #   params_accessible :post => [:title, :body]
+        # ==== Parameters
+        # args:: Params that will be filtered
         #
+        # ==== Example
+        #   # The request sets:
+        #   params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
+        # 
+        #   MyController < Application
+        #     params_accessible :post => [:title, :body]
+        #   end
+        # 
+        #   params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
+        #
+        # So we see that params_accessible removes everything except what is explictly specified.
+        #
+        # :api: public
         def params_accessible(args = {})
           assign_filtered_params(:accessible_params_args, args)
         end
 
         # Protects parameters of an object
         #
-        #   params_protected :post => [:status, :author_id]
+        # ==== Parameters
+        # args:: Params that will be filtered
+        #
+        # ==== Example
+        #   # The request sets:
+        #   params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
+        #
+        #   MyController < Application
+        #     params_protected :post => [:status, :author_id]
+        #   end
+        #
+        #   params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
         #
+        # So we see that params_protected removes ONLY those parameters explicitly specified.
+        #
+        # :api: public
         def params_protected(args = {})
           assign_filtered_params(:protected_params_args, args)
         end
 
         # Filters parameters out from the default log string
-        #  Params will still be passed to the controller properly, they will
-        #  show up as [FILTERED] in the merb logs.
         #
-        # log_params_filtered :password, 'token'
+        # Params will still be passed to the controller properly, they will
+        # show up as [FILTERED] in the merb logs.
+        #
+        # ==== Parameters
+        # args:: Params that will be filtered
         #
+        # ==== Example
+        #   log_params_filtered :password, 'token'
+        #
+        # :api: public
         def log_params_filtered(*args)
-          self.log_params_args = args.collect { |arg| arg.to_sym }
+          self.log_params_args ||= []
+          self.log_params_args += args.collect { |arg| arg.to_s }
         end
 
         private
@@ -121,7 +125,6 @@ module Merb
           end
         end
       end
-
     end
 
     module RequestMixin
@@ -129,8 +132,14 @@ module Merb
 
       # Removes specified parameters of an object
       #
+      # ==== Parameters
+      # obj<Symbol>:: Params key
+      # attrs<Array>:: Attributes to restrict
+      # 
+      # ==== Example
       #   remove_params_from_object(:post, [:status, :author_id])
       #
+      # :api: plugin
       def remove_params_from_object(obj, attrs = [])
         unless params[obj].nil?
           filtered = params
@@ -141,8 +150,14 @@ module Merb
 
       # Restricts parameters of an object
       #
+      # ==== Parameters
+      # obj<Symbol>:: Params key
+      # attrs<Array>:: Attributes to restrict
+      # 
+      # ==== Example
       #   restrict_params(:post, [:title, :body])
       #
+      # :api: plugin
       def restrict_params(obj, attrs = [])
         # Make sure the params for the object exists
         unless params[obj].nil?
@@ -168,11 +183,12 @@ Merb::Controller.send(:include, Merb::ParamsFilter::ControllerMixin)
 Merb::Request.send(:include, Merb::ParamsFilter::RequestMixin)
 
 class Merb::Controller
+  # Filters parameters so they are not showed in logs
   def self._filter_params(params)
     return params if self.log_params_args.nil?
     result = { }
     params.each do |k,v|
-      result[k] = (self.log_params_args.include?(k.to_sym) ? '[FILTERED]' : v)
+      result[k] = (self.log_params_args.include?(k.to_s) ? '[FILTERED]' : v)
     end
     result
   end

data/lib/merb-param-protection/version.rb

@@ -1,5 +1,5 @@
 module Merb
   module ParamProtection
-    VERSION = '1.1.0'.freeze
+    VERSION = '1.1.1'.freeze
   end
 end

data/spec/controllers/param_protection.rb

@@ -0,0 +1,20 @@
+class LogParamsFiltered < Merb::Controller
+  log_params_filtered :password, :password_confirmation
+  log_params_filtered :card_number
+  # log_params_filtered :user => [:age]
+  
+  def index
+    params
+  end
+end
+
+class ParamsAccessibleController < Merb::Controller
+  params_accessible :customer => [:name, :phone, :email], :address => [:street, :zip]
+  params_accessible :post => [:title, :body]
+  def create; end
+end
+
+class ParamsProtectedController < Merb::Controller
+  params_protected :customer => [:activated?, :password], :address => [:long, :lat]
+  def create; end
+end

data/spec/merb_param_protection_spec.rb

@@ -1,88 +1,83 @@
 require 'spec_helper'
 
 describe "merb-param-protection" do
-  describe "Controller", "parameter filtering" do
-    describe "accessible parameters" do
-      class ParamsAccessibleController < Merb::Controller
-        params_accessible :customer => [:name, :phone, :email], :address => [:street, :zip]
-        params_accessible :post => [:title, :body]
-        def create; end
-      end
-
-      class ParamsProtectedController < Merb::Controller
-        params_protected :customer => [:activated?, :password], :address => [:long, :lat]
-        def update; end
-      end
-
-
-      it "should store the accessible parameters for that controller" do
-        pending
-        @params_accessible_controller = ParamsAccessibleController.new( fake_request )
-        @params_accessible_controller.stub!(:initialize_params_filter)
-
-        # FIXME : this call to dispatch is where I break
-        @params_accessible_controller.dispatch('create')
-        @params_accessible_controller.accessible_params_args.should == {
-          :address=> [:street, :zip], :post=> [:title, :body], :customer=> [:name, :phone, :email]
-        }
-      end
-
-      it "should remove the parameters from the request that are not accessible" do
-        pending
-        @params_accessible_controller = ParamsAccessibleController.new( fake_request )
-        # FIXME : this call to dispatch is where I break
-        @params_accessible_controller.dispatch('create')
-      end
+  describe "Controller" do
+    it "should store the accessible parameters for that controller" do
+      dispatch_to(ParamsAccessibleController, :create).send(:accessible_params_args).should == {
+        :address=> [:street, :zip], :post=> [:title, :body], :customer=> [:name, :phone, :email]
+      }
     end
-
-    describe "protected parameters" do
-      before(:each) do
-        pending
-        @params_protected_controller = ParamsProtectedController.new( fake_request )
-        # FIXME : this call to dispatch is where I break
-        #@params_protected_controller.dispatch('update')
-      end
-
-      it "should store the protected parameters for that controller" do
-        @params_protected_controller.protected_params_args.should == {
-          :address=> [:long, :lat], :customer=> [:activated?, :password]
-        }
-      end
+      
+    it "should store the protected parameters for that controller" do
+      dispatch_to(ParamsProtectedController, :create).send(:protected_params_args).should == {
+        :address=> [:long, :lat], :customer=> [:activated?, :password]
+      }
     end
 
-    describe "param clash prevention" do
-      it "should raise an error 'cannot make accessible'" do
-        lambda {
-          class TestAccessibleController < Merb::Controller
-            params_protected :customer => [:password]
-            params_accessible :customer => [:name, :phone, :email]
-            def index; end
-          end
-        }.should raise_error(/Cannot make accessible a controller \(.*?TestAccessibleController\) that is already protected/)
-	# TODO "#<Class:0xa9c598c>::TestProtectedController" is generated in ruby 1.9
-      end
-
-      it "should raise an error 'cannot protect'" do
-        lambda {
-          class TestProtectedController < Merb::Controller
-            params_accessible :customer => [:name, :phone, :email]
-            params_protected :customer => [:password]
-            def index; end
-          end
-        }.should raise_error(/Cannot protect controller \(.*?TestProtectedController\) that is already accessible/)
-        # TODO "#<Class:0x92bfbd4>::TestProtectedController" is generated in ruby 1.9
-      end
+    it "should remove the parameters from the request that are not accessible" do
+      c = dispatch_to(ParamsAccessibleController, :create,
+        :customer => {:name => "teamon", :phone => "123456789", :email => "my@mail", :activated? => "yes", :password => "secret"}, 
+        :address => {:street => "Merb Street 4", :zip => "98765", :long => "Meeeeerrrrrrbbbb sooo looong", :lat => "123"},
+        :post => {:title => "First port", :body => "Some long lorem ipsum stuff", :date => "today"}
+      )
+      c.params[:customer][:name].should == "teamon"
+      c.params[:customer][:phone].should == "123456789"
+      c.params[:customer][:email].should == "my@mail"
+      c.params[:customer].should_not have_key(:activated?)
+      c.params[:customer].should_not have_key(:password)
+      c.params[:address][:street].should == "Merb Street 4"
+      c.params[:address][:zip].should == "98765"
+      c.params[:address].should_not have_key(:long)
+      c.params[:address].should_not have_key(:lat)
+      c.params[:post][:title].should == "First port"
+      c.params[:post][:body].should == "Some long lorem ipsum stuff"
+      c.params[:post].should_not have_key(:date)
+    end
+    
+    it "should remove the parameters from the request that are protected" do
+      c = dispatch_to(ParamsProtectedController, :create,
+        :customer => {:name => "teamon", :phone => "123456789", :email => "my@mail", :activated? => "yes", :password => "secret"}, 
+        :address => {:street => "Merb Street 4", :zip => "98765", :long => "Meeeeerrrrrrbbbb sooo looong", :lat => "123"},
+        :post => {:title => "First port", :body => "Some long lorem ipsum stuff", :date => "today"}
+      )
+      c.params[:customer][:name].should == "teamon"
+      c.params[:customer][:phone].should == "123456789"
+      c.params[:customer][:email].should == "my@mail"
+      c.params[:customer].should_not have_key(:activated?)
+      c.params[:customer].should_not have_key(:password)
+      c.params[:address][:street].should == "Merb Street 4"
+      c.params[:address][:zip].should == "98765"
+      c.params[:address].should_not have_key(:long)
+      c.params[:address].should_not have_key(:lat)
+      c.params[:post][:title].should == "First port"
+      c.params[:post][:body].should == "Some long lorem ipsum stuff"
+      c.params[:post][:date].should == "today"
     end
   end
 
-  describe "param filtering" do
-    before(:each) do
-      Merb::Router.prepare do
-        @test_route = match("/the/:place/:goes/here").to(:controller => "Test", :action => "show").name(:test)
-        @default_route = default_routes
-      end
+  describe "param clash prevention" do
+    it "should raise an error 'cannot make accessible'" do
+      lambda {
+        class TestAccessibleController < Merb::Controller
+          params_protected :customer => [:password]
+          params_accessible :customer => [:name, :phone, :email]
+          def index; end
+        end
+      }.should raise_error(/Cannot make accessible a controller \(.*?TestAccessibleController\) that is already protected/)
     end
 
+    it "should raise an error 'cannot protect'" do
+      lambda {
+        class TestProtectedController < Merb::Controller
+          params_accessible :customer => [:name, :phone, :email]
+          params_protected :customer => [:password]
+          def index; end
+        end
+      }.should raise_error(/Cannot protect controller \(.*?TestProtectedController\) that is already accessible/)
+    end
+  end
+    
+  describe "param filtering" do
     it "should remove specified params" do
       post_body = "post[title]=hello%20there&post[body]=some%20text&post[status]=published&post[author_id]=1&commit=Submit"
       request = fake_request( {:request_method => 'POST'}, {:post_body => post_body})
@@ -111,4 +106,25 @@ describe "merb-param-protection" do
     Merb::Controller.callable_actions.should be_empty
   end
 
+  describe "log params filtering" do
+    it "should filter params" do
+      c = dispatch_to(LogParamsFiltered, :index, :password => "topsecret", :password_confirmation => "topsecret",
+                                                 :card_number => "1234567890", :other => "not so secret")
+      c.params[:password].should == "topsecret"
+      c.params[:password_confirmation].should == "topsecret"
+      c.params[:card_number].should == "1234567890"
+      c.params[:other].should == "not so secret"
+      
+      filtered = c.class._filter_params(c.params)
+      filtered["password"].should == "[FILTERED]"
+      filtered["password_confirmation"].should == "[FILTERED]"
+      filtered["card_number"].should == "[FILTERED]"
+      filtered["other"].should == "not so secret"
+    end
+  end
+
 end
+
+
+
+

data/spec/spec_helper.rb

@@ -11,23 +11,12 @@ require "merb-param-protection"
 # Satisfies Autotest and anyone else not using the Rake tasks
 require 'spec'
 
+# Additional files required for specs
+require "controllers/param_protection"
 
-Spec::Runner.configure do |config|
-  config.include(Merb::Test::ViewHelper)
-  config.include(Merb::Test::RouteHelper)
-  config.include(Merb::Test::ControllerHelper)
-end
+Merb.start :environment => 'test'
 
-def new_controller(action = 'index', controller = nil, additional_params = {})
-  request = OpenStruct.new
-  request.params = {:action => action, :controller => (controller.to_s || "Test")}
-  request.params.update(additional_params)
-  request.cookies = {}
-  request.accept ||= '*/*'
-  
-  yield request if block_given?
-  
-  response = OpenStruct.new
-  response.read = ""
-  (controller || Merb::Controller).build(request, response)
+Spec::Runner.configure do |config|
+  config.include Merb::Test::ControllerHelper
+  config.include Merb::Test::RequestHelper
 end

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: merb-param-protection
 version: !ruby/object:Gem::Version 
+  hash: 17
   prerelease: false
   segments: 
   - 1
   - 1
-  - 0
-  version: 1.1.0
+  - 1
+  version: 1.1.1
 platform: ruby
 authors: 
 - Lance Carlson
@@ -14,30 +15,34 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-03-22 00:00:00 +00:00
+date: 2010-06-15 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: merb-core
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 17
         segments: 
         - 1
         - 1
-        - 0
-        version: 1.1.0
+        - 1
+        version: 1.1.1
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
   name: rspec
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 13
         segments: 
         - 1
         - 2
@@ -52,46 +57,51 @@ executables: []
 extensions: []
 
 extra_rdoc_files: 
-- LICENSE
 - README
+- LICENSE
 - TODO
 files: 
-- LICENSE
-- README
 - Rakefile
-- TODO
-- lib/merb-param-protection.rb
 - lib/merb-param-protection/version.rb
+- lib/merb-param-protection.rb
+- spec/controllers/param_protection.rb
 - spec/merb_param_protection_spec.rb
 - spec/spec.opts
 - spec/spec_helper.rb
+- README
+- LICENSE
+- TODO
 has_rdoc: true
 homepage: http://merbivore.com/
 licenses: []
 
 post_install_message: 
-rdoc_options: 
-- --charset=UTF-8
+rdoc_options: []
+
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.6
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Merb plugin that provides params_accessible and params_protected class methods