merb-param-protection 0.9.9
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE +20 -0
- data/README +37 -0
- data/Rakefile +79 -0
- data/lib/merb-param-protection.rb +179 -0
- data/lib/merb-param-protection/merbtasks.rb +6 -0
- metadata +68 -0
data/LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2008 Lance Carlson
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README
ADDED
@@ -0,0 +1,37 @@
|
|
1
|
+
merb-param-protection
|
2
|
+
=================
|
3
|
+
|
4
|
+
This plugin exposes three new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
|
5
|
+
|
6
|
+
Setup:
|
7
|
+
The request sets:
|
8
|
+
|
9
|
+
params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
|
10
|
+
|
11
|
+
Example 1: params_accessable
|
12
|
+
MyController < Application
|
13
|
+
params_accessible :post => [:title, :body]
|
14
|
+
end
|
15
|
+
|
16
|
+
params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
|
17
|
+
|
18
|
+
So we see that params_accessible removes everything except what is explictly specified.
|
19
|
+
|
20
|
+
Example 2: params_protected
|
21
|
+
MyOtherController < Application
|
22
|
+
params_protected :post => [:status, :author_id]
|
23
|
+
end
|
24
|
+
|
25
|
+
params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
|
26
|
+
|
27
|
+
We also see that params_protected removes ONLY those parameters explicitly specified.
|
28
|
+
|
29
|
+
Sometimes you have certain post parameters that are best left unlogged, we support that too. Your
|
30
|
+
actions continue to receive the variable correctly, but the requested parameters are scrubbed
|
31
|
+
at log time.
|
32
|
+
|
33
|
+
MySuperDuperController < Application
|
34
|
+
log_params_filtered :password
|
35
|
+
end
|
36
|
+
|
37
|
+
params.inspect # => { :username => 'atmos', :password => '[FILTERED]' }
|
data/Rakefile
ADDED
@@ -0,0 +1,79 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'rubygems/specification'
|
3
|
+
require 'rake/gempackagetask'
|
4
|
+
require "extlib"
|
5
|
+
require 'merb-core/tasks/merb_rake_helper'
|
6
|
+
require "spec/rake/spectask"
|
7
|
+
|
8
|
+
require File.join(File.dirname(__FILE__), "../merb-core/lib/merb-core/version.rb")
|
9
|
+
##############################################################################
|
10
|
+
# Package && release
|
11
|
+
##############################################################################
|
12
|
+
RUBY_FORGE_PROJECT = "merb"
|
13
|
+
PROJECT_URL = "http://merbivore.com"
|
14
|
+
PROJECT_SUMMARY = "Merb plugin that provides params_accessible and params_protected class methods"
|
15
|
+
PROJECT_DESCRIPTION = PROJECT_SUMMARY
|
16
|
+
|
17
|
+
GEM_AUTHOR = "Lance Carlson"
|
18
|
+
GEM_EMAIL = "lancecarlson@gmail.com"
|
19
|
+
|
20
|
+
GEM_NAME = "merb-param-protection"
|
21
|
+
PKG_BUILD = ENV['PKG_BUILD'] ? '.' + ENV['PKG_BUILD'] : ''
|
22
|
+
GEM_VERSION = Merb::VERSION + PKG_BUILD
|
23
|
+
|
24
|
+
RELEASE_NAME = "REL #{GEM_VERSION}"
|
25
|
+
|
26
|
+
require "extlib/tasks/release"
|
27
|
+
|
28
|
+
spec = Gem::Specification.new do |s|
|
29
|
+
s.rubyforge_project = RUBY_FORGE_PROJECT
|
30
|
+
s.name = GEM_NAME
|
31
|
+
s.version = GEM_VERSION
|
32
|
+
s.platform = Gem::Platform::RUBY
|
33
|
+
s.has_rdoc = true
|
34
|
+
s.extra_rdoc_files = ["README", "LICENSE"]
|
35
|
+
s.summary = PROJECT_SUMMARY
|
36
|
+
s.description = PROJECT_DESCRIPTION
|
37
|
+
s.author = GEM_AUTHOR
|
38
|
+
s.email = GEM_EMAIL
|
39
|
+
s.homepage = PROJECT_URL
|
40
|
+
s.add_dependency('merb-core', '>= 0.9.8')
|
41
|
+
s.require_path = 'lib'
|
42
|
+
s.files = %w(LICENSE README Rakefile) + Dir.glob("{lib,specs}/**/*")
|
43
|
+
end
|
44
|
+
|
45
|
+
Rake::GemPackageTask.new(spec) do |pkg|
|
46
|
+
pkg.gem_spec = spec
|
47
|
+
end
|
48
|
+
|
49
|
+
desc "Install the gem"
|
50
|
+
task :install do
|
51
|
+
Merb::RakeHelper.install(GEM_NAME, :version => GEM_VERSION)
|
52
|
+
end
|
53
|
+
|
54
|
+
desc "Uninstall the gem"
|
55
|
+
task :uninstall do
|
56
|
+
Merb::RakeHelper.uninstall(GEM_NAME, :version => GEM_VERSION)
|
57
|
+
end
|
58
|
+
|
59
|
+
desc "Create a gemspec file"
|
60
|
+
task :gemspec do
|
61
|
+
File.open("#{GEM_NAME}.gemspec", "w") do |file|
|
62
|
+
file.puts spec.to_ruby
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
desc "Run all examples (or a specific spec with TASK=xxxx)"
|
67
|
+
Spec::Rake::SpecTask.new('spec') do |t|
|
68
|
+
t.spec_opts = ["-cfs"]
|
69
|
+
t.spec_files = begin
|
70
|
+
if ENV["TASK"]
|
71
|
+
ENV["TASK"].split(',').map { |task| "spec/**/#{task}_spec.rb" }
|
72
|
+
else
|
73
|
+
FileList['spec/**/*_spec.rb']
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
|
78
|
+
desc 'Default: run spec examples'
|
79
|
+
task :default => 'spec'
|
@@ -0,0 +1,179 @@
|
|
1
|
+
# This plugin exposes two new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
|
2
|
+
|
3
|
+
# Setup:
|
4
|
+
# The request sets:
|
5
|
+
# params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
|
6
|
+
#
|
7
|
+
# Example 1: params_accessable
|
8
|
+
# MyController < Application
|
9
|
+
# params_accessible :post => [:title, :body]
|
10
|
+
# end
|
11
|
+
|
12
|
+
# params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
|
13
|
+
|
14
|
+
# So we see that params_accessible removes everything except what is explictly specified.
|
15
|
+
|
16
|
+
# Example 2: params_protected
|
17
|
+
# MyOtherController < Application
|
18
|
+
# params_protected :post => [:status, :author_id]
|
19
|
+
# end
|
20
|
+
|
21
|
+
# params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
|
22
|
+
|
23
|
+
# We also see that params_protected removes ONLY those parameters explicitly specified.
|
24
|
+
|
25
|
+
if defined?(Merb::Plugins)
|
26
|
+
|
27
|
+
# Merb gives you a Merb::Plugins.config hash...feel free to put your stuff in your piece of it
|
28
|
+
#Merb::Plugins.config[:merb_param_protection] = {
|
29
|
+
#:chickens => false
|
30
|
+
#}
|
31
|
+
|
32
|
+
#Merb::Plugins.add_rakefiles "merb_param_protection/merbtasks"
|
33
|
+
|
34
|
+
module Merb
|
35
|
+
module ParamsFilter
|
36
|
+
module ControllerMixin
|
37
|
+
def self.included(base)
|
38
|
+
base.send(:extend, ClassMethods)
|
39
|
+
base.send(:include, InstanceMethods)
|
40
|
+
base.send(:class_inheritable_accessor, :accessible_params_args)
|
41
|
+
base.send(:class_inheritable_accessor, :protected_params_args)
|
42
|
+
base.send(:class_inheritable_accessor, :log_params_args)
|
43
|
+
# Don't expose these as public methods - otherwise they'll become controller actions
|
44
|
+
base.send(:protected, :accessible_params_args, :protected_params_args, :log_params_args)
|
45
|
+
base.send(:protected, :accessible_params_args=, :protected_params_args=, :log_params_args=)
|
46
|
+
|
47
|
+
base.send(:before, :initialize_params_filter)
|
48
|
+
end
|
49
|
+
|
50
|
+
module ClassMethods
|
51
|
+
# Ensures these parameters are sent for the object
|
52
|
+
#
|
53
|
+
# params_accessible :post => [:title, :body]
|
54
|
+
#
|
55
|
+
def params_accessible(args = {})
|
56
|
+
assign_filtered_params(:accessible_params_args, args)
|
57
|
+
end
|
58
|
+
|
59
|
+
# Protects parameters of an object
|
60
|
+
#
|
61
|
+
# params_protected :post => [:status, :author_id]
|
62
|
+
#
|
63
|
+
def params_protected(args = {})
|
64
|
+
assign_filtered_params(:protected_params_args, args)
|
65
|
+
end
|
66
|
+
|
67
|
+
# Filters parameters out from the default log string
|
68
|
+
# Params will still be passed to the controller properly, they will
|
69
|
+
# show up as [FILTERED] in the merb logs.
|
70
|
+
#
|
71
|
+
# log_params_filtered :password, 'token'
|
72
|
+
#
|
73
|
+
def log_params_filtered(*args)
|
74
|
+
self.log_params_args = args.collect { |arg| arg.to_sym }
|
75
|
+
end
|
76
|
+
|
77
|
+
private
|
78
|
+
|
79
|
+
def assign_filtered_params(method, args)
|
80
|
+
validate_filtered_params(method, args)
|
81
|
+
|
82
|
+
# If the method is nil, set to initial hash, otherwise merge
|
83
|
+
self.send(method).nil? ? self.send(method.to_s + '=', args) : self.send(method).merge!(args)
|
84
|
+
end
|
85
|
+
|
86
|
+
def validate_filtered_params(method, args)
|
87
|
+
# Reversing methods
|
88
|
+
params_methods = [:accessible_params_args, :protected_params_args]
|
89
|
+
params_methods.delete(method)
|
90
|
+
params_method = params_methods.first
|
91
|
+
|
92
|
+
# Make sure the opposite method is not nil
|
93
|
+
unless self.send(params_method).nil?
|
94
|
+
# Loop through arg's keys
|
95
|
+
args.keys.each do |key|
|
96
|
+
# If the key exists on the opposite method, raise exception
|
97
|
+
if self.send(params_method).include?(key)
|
98
|
+
case method
|
99
|
+
when :accessible_params_args : raise "Cannot make accessible a controller (#{self}) that is already protected"
|
100
|
+
when :protected_params_args : raise "Cannot protect controller (#{self}) that is already accessible"
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|
104
|
+
end
|
105
|
+
end
|
106
|
+
end
|
107
|
+
|
108
|
+
module InstanceMethods
|
109
|
+
def initialize_params_filter
|
110
|
+
if accessible_params_args.is_a?(Hash)
|
111
|
+
accessible_params_args.keys.each do |obj|
|
112
|
+
self.request.restrict_params(obj, accessible_params_args[obj])
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
if protected_params_args.is_a?(Hash)
|
117
|
+
protected_params_args.keys.each do |obj|
|
118
|
+
self.request.remove_params_from_object(obj, protected_params_args[obj])
|
119
|
+
end
|
120
|
+
end
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
end
|
125
|
+
|
126
|
+
module RequestMixin
|
127
|
+
attr_accessor :trashed_params
|
128
|
+
|
129
|
+
# Removes specified parameters of an object
|
130
|
+
#
|
131
|
+
# remove_params_from_object(:post, [:status, :author_id])
|
132
|
+
#
|
133
|
+
def remove_params_from_object(obj, attrs = [])
|
134
|
+
unless params[obj].nil?
|
135
|
+
filtered = params
|
136
|
+
attrs.each {|a| filtered[obj].delete(a)}
|
137
|
+
@params = filtered
|
138
|
+
end
|
139
|
+
end
|
140
|
+
|
141
|
+
# Restricts parameters of an object
|
142
|
+
#
|
143
|
+
# restrict_params(:post, [:title, :body])
|
144
|
+
#
|
145
|
+
def restrict_params(obj, attrs = [])
|
146
|
+
# Make sure the params for the object exists
|
147
|
+
unless params[obj].nil?
|
148
|
+
attrs = attrs.collect {|a| a.to_s}
|
149
|
+
trashed_params_keys = params[obj].keys - attrs
|
150
|
+
|
151
|
+
# Store a hash of the key/value pairs we are going
|
152
|
+
# to remove in case we need them later. Lighthouse Bug # 105
|
153
|
+
@trashed_params = {}
|
154
|
+
trashed_params_keys.each do |key|
|
155
|
+
@trashed_params.merge!({key => params[obj][key]})
|
156
|
+
end
|
157
|
+
|
158
|
+
remove_params_from_object(obj, trashed_params_keys)
|
159
|
+
end
|
160
|
+
end
|
161
|
+
|
162
|
+
end
|
163
|
+
end
|
164
|
+
end
|
165
|
+
|
166
|
+
Merb::Controller.send(:include, Merb::ParamsFilter::ControllerMixin)
|
167
|
+
Merb::Request.send(:include, Merb::ParamsFilter::RequestMixin)
|
168
|
+
|
169
|
+
class Merb::Controller
|
170
|
+
def self._filter_params(params)
|
171
|
+
return params if self.log_params_args.nil?
|
172
|
+
result = { }
|
173
|
+
params.each do |k,v|
|
174
|
+
result[k] = (self.log_params_args.include?(k.to_sym) ? '[FILTERED]' : v)
|
175
|
+
end
|
176
|
+
result
|
177
|
+
end
|
178
|
+
end
|
179
|
+
end
|
metadata
ADDED
@@ -0,0 +1,68 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: merb-param-protection
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.9.9
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Lance Carlson
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
|
12
|
+
date: 2008-10-14 00:00:00 +03:00
|
13
|
+
default_executable:
|
14
|
+
dependencies:
|
15
|
+
- !ruby/object:Gem::Dependency
|
16
|
+
name: merb-core
|
17
|
+
type: :runtime
|
18
|
+
version_requirement:
|
19
|
+
version_requirements: !ruby/object:Gem::Requirement
|
20
|
+
requirements:
|
21
|
+
- - ">="
|
22
|
+
- !ruby/object:Gem::Version
|
23
|
+
version: 0.9.8
|
24
|
+
version:
|
25
|
+
description: Merb plugin that provides params_accessible and params_protected class methods
|
26
|
+
email: lancecarlson@gmail.com
|
27
|
+
executables: []
|
28
|
+
|
29
|
+
extensions: []
|
30
|
+
|
31
|
+
extra_rdoc_files:
|
32
|
+
- README
|
33
|
+
- LICENSE
|
34
|
+
files:
|
35
|
+
- LICENSE
|
36
|
+
- README
|
37
|
+
- Rakefile
|
38
|
+
- lib/merb-param-protection
|
39
|
+
- lib/merb-param-protection/merbtasks.rb
|
40
|
+
- lib/merb-param-protection.rb
|
41
|
+
has_rdoc: true
|
42
|
+
homepage: http://merbivore.com
|
43
|
+
post_install_message:
|
44
|
+
rdoc_options: []
|
45
|
+
|
46
|
+
require_paths:
|
47
|
+
- lib
|
48
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
49
|
+
requirements:
|
50
|
+
- - ">="
|
51
|
+
- !ruby/object:Gem::Version
|
52
|
+
version: "0"
|
53
|
+
version:
|
54
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
55
|
+
requirements:
|
56
|
+
- - ">="
|
57
|
+
- !ruby/object:Gem::Version
|
58
|
+
version: "0"
|
59
|
+
version:
|
60
|
+
requirements: []
|
61
|
+
|
62
|
+
rubyforge_project: merb
|
63
|
+
rubygems_version: 1.2.0
|
64
|
+
signing_key:
|
65
|
+
specification_version: 2
|
66
|
+
summary: Merb plugin that provides params_accessible and params_protected class methods
|
67
|
+
test_files: []
|
68
|
+
|