merb-param-protection 1.0.15 → 1.1.0.pre

data/Rakefile

@@ -1,73 +1,64 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "..", "rake_helpers"))
-
-##############################################################################
-# Package && release
-##############################################################################
-RUBY_FORGE_PROJECT  = "merb"
-PROJECT_URL         = "http://merbivore.com"
-PROJECT_SUMMARY     = "Merb plugin that provides params_accessible and params_protected class methods"
-PROJECT_DESCRIPTION = PROJECT_SUMMARY
-
-GEM_AUTHOR = "Lance Carlson"
-GEM_EMAIL  = "lancecarlson@gmail.com"
-
-GEM_NAME    = "merb-param-protection"
-PKG_BUILD   = ENV['PKG_BUILD'] ? '.' + ENV['PKG_BUILD'] : ''
-GEM_VERSION = Merb::VERSION + PKG_BUILD
-
-RELEASE_NAME    = "REL #{GEM_VERSION}"
-
-require "extlib/tasks/release"
-
-spec = Gem::Specification.new do |s|
-  s.rubyforge_project = RUBY_FORGE_PROJECT
-  s.name = GEM_NAME
-  s.version = GEM_VERSION
-  s.platform = Gem::Platform::RUBY
-  s.has_rdoc = true
-  s.extra_rdoc_files = ["README", "LICENSE"]
-  s.summary = PROJECT_SUMMARY
-  s.description = PROJECT_DESCRIPTION
-  s.author = GEM_AUTHOR
-  s.email = GEM_EMAIL
-  s.homepage = PROJECT_URL
-  s.add_dependency('merb-core', "~> #{Merb::VERSION}")
-  s.require_path = 'lib'
-  s.files = %w(LICENSE README Rakefile) + Dir.glob("{lib,specs}/**/*")
-end
+require 'rubygems'
+require 'rake'
 
-Rake::GemPackageTask.new(spec) do |pkg|
-  pkg.gem_spec = spec
-end
+# Assume a typical dev checkout to fetch the current merb-core version
+require File.expand_path('../../merb-core/lib/merb-core/version', __FILE__)
 
-desc "Install the gem"
-task :install do
-  Merb::RakeHelper.install(GEM_NAME, :version => GEM_VERSION)
-end
+# Load this library's version information
+require File.expand_path('../lib/merb-param-protection/version', __FILE__)
 
-desc "Uninstall the gem"
-task :uninstall do
-  Merb::RakeHelper.uninstall(GEM_NAME, :version => GEM_VERSION)
-end
+begin
+
+  gem 'jeweler', '~> 1.4'
+  require 'jeweler'
+
+  Jeweler::Tasks.new do |gemspec|
+
+    gemspec.version     = Merb::ParamProtection::VERSION
+
+    gemspec.name        = "merb-param-protection"
+    gemspec.description = "Merb plugin that helps protecting sensible parameters"
+    gemspec.summary     = "Merb plugin that provides params_accessible and params_protected class methods"
+
+    gemspec.authors     = [ "Lance Carlson" ]
+    gemspec.email       = "lancecarlson@gmail.com"
+    gemspec.homepage    = "http://merbivore.com/"
+
+    gemspec.files       = %w(LICENSE Rakefile README TODO) + Dir['{lib,spec}/**/*']
+
+    # Runtime dependencies
+    gemspec.add_dependency 'merb-core', "~> #{Merb::VERSION}"
+
+    # Development dependencies
+    gemspec.add_development_dependency 'rspec', '>= 1.2.9'
 
-desc "Create a gemspec file"
-task :gemspec do
-  File.open("#{GEM_NAME}.gemspec", "w") do |file|
-    file.puts spec.to_ruby
   end
+
+  Jeweler::GemcutterTasks.new
+
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
 end
 
-desc "Run all examples (or a specific spec with TASK=xxxx)"
-Spec::Rake::SpecTask.new('spec') do |t|
-  t.spec_opts  = ["-cfs"]
-  t.spec_files = begin
-    if ENV["TASK"] 
-      ENV["TASK"].split(',').map { |task| "spec/**/#{task}_spec.rb" }
-    else
-      FileList['spec/**/*_spec.rb']
-    end
-  end
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.spec_opts << '--options' << 'spec/spec.opts' if File.exists?('spec/spec.opts')
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
 end
 
-desc 'Default: run spec examples'
-task :default => 'spec'
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "test_gem #{Merb::ParamProtection::VERSION}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/TODO

@@ -0,0 +1,4 @@
+TODO:
+DRY up the code
+Finish spec'ing
+Allow specification of any parameter?

data/lib/merb-param-protection.rb

@@ -96,8 +96,8 @@ if defined?(Merb::Plugins)
                 # If the key exists on the opposite method, raise exception
                 if self.send(params_method).include?(key)
                   case method
-                  when :accessible_params_args : raise "Cannot make accessible a controller (#{self}) that is already protected"
-                  when :protected_params_args : raise "Cannot protect controller (#{self}) that is already accessible"
+                  when :accessible_params_args then raise "Cannot make accessible a controller (#{self}) that is already protected"
+                  when :protected_params_args then raise "Cannot protect controller (#{self}) that is already accessible"
                   end
                 end
               end

data/lib/merb-param-protection/version.rb

@@ -0,0 +1,5 @@
+module Merb
+  module ParamProtection
+    VERSION = '1.1.0.pre'.freeze
+  end
+end

data/spec/merb_param_protection_spec.rb

@@ -0,0 +1,114 @@
+require 'spec_helper'
+
+describe "merb-param-protection" do
+  describe "Controller", "parameter filtering" do
+    describe "accessible parameters" do
+      class ParamsAccessibleController < Merb::Controller
+        params_accessible :customer => [:name, :phone, :email], :address => [:street, :zip]
+        params_accessible :post => [:title, :body]
+        def create; end
+      end
+
+      class ParamsProtectedController < Merb::Controller
+        params_protected :customer => [:activated?, :password], :address => [:long, :lat]
+        def update; end
+      end
+
+
+      it "should store the accessible parameters for that controller" do
+        pending
+        @params_accessible_controller = ParamsAccessibleController.new( fake_request )
+        @params_accessible_controller.stub!(:initialize_params_filter)
+
+        # FIXME : this call to dispatch is where I break
+        @params_accessible_controller.dispatch('create')
+        @params_accessible_controller.accessible_params_args.should == {
+          :address=> [:street, :zip], :post=> [:title, :body], :customer=> [:name, :phone, :email]
+        }
+      end
+
+      it "should remove the parameters from the request that are not accessible" do
+        pending
+        @params_accessible_controller = ParamsAccessibleController.new( fake_request )
+        # FIXME : this call to dispatch is where I break
+        @params_accessible_controller.dispatch('create')
+      end
+    end
+
+    describe "protected parameters" do
+      before(:each) do
+        pending
+        @params_protected_controller = ParamsProtectedController.new( fake_request )
+        # FIXME : this call to dispatch is where I break
+        #@params_protected_controller.dispatch('update')
+      end
+
+      it "should store the protected parameters for that controller" do
+        @params_protected_controller.protected_params_args.should == {
+          :address=> [:long, :lat], :customer=> [:activated?, :password]
+        }
+      end
+    end
+
+    describe "param clash prevention" do
+      it "should raise an error 'cannot make accessible'" do
+        lambda {
+          class TestAccessibleController < Merb::Controller
+            params_protected :customer => [:password]
+            params_accessible :customer => [:name, :phone, :email]
+            def index; end
+          end
+        }.should raise_error(/Cannot make accessible a controller \(.*?TestAccessibleController\) that is already protected/)
+	# TODO "#<Class:0xa9c598c>::TestProtectedController" is generated in ruby 1.9
+      end
+
+      it "should raise an error 'cannot protect'" do
+        lambda {
+          class TestProtectedController < Merb::Controller
+            params_accessible :customer => [:name, :phone, :email]
+            params_protected :customer => [:password]
+            def index; end
+          end
+        }.should raise_error(/Cannot protect controller \(.*?TestProtectedController\) that is already accessible/)
+        # TODO "#<Class:0x92bfbd4>::TestProtectedController" is generated in ruby 1.9
+      end
+    end
+  end
+
+  describe "param filtering" do
+    before(:each) do
+      Merb::Router.prepare do
+        @test_route = match("/the/:place/:goes/here").to(:controller => "Test", :action => "show").name(:test)
+        @default_route = default_routes
+      end
+    end
+
+    it "should remove specified params" do
+      post_body = "post[title]=hello%20there&post[body]=some%20text&post[status]=published&post[author_id]=1&commit=Submit"
+      request = fake_request( {:request_method => 'POST'}, {:post_body => post_body})
+      request.remove_params_from_object(:post, [:status, :author_id])
+      request.params[:post][:title].should == "hello there"
+      request.params[:post][:body].should == "some text"
+      request.params[:post][:status].should_not == "published"
+      request.params[:post][:author_id].should_not == 1
+      request.params[:commit].should == "Submit"
+    end
+
+    it "should restrict parameters" do
+      post_body = "post[title]=hello%20there&post[body]=some%20text&post[status]=published&post[author_id]=1&commit=Submit"
+      request = fake_request( {:request_method => 'POST'}, {:post_body => post_body})
+      request.restrict_params(:post, [:title, :body])
+      request.params[:post][:title].should == "hello there"
+      request.params[:post][:body].should == "some text"
+      request.params[:post][:status].should_not == "published"
+      request.params[:post][:author_id].should_not == 1
+      request.params[:commit].should == "Submit"
+      request.trashed_params.should == {"status"=>"published", "author_id"=>"1"}
+    end
+  end
+  
+  it "should not have any plugin methods accidently exposed as actions" do
+    Merb::Controller.callable_actions.should be_empty
+  end
+
+end

data/spec/spec.opts

@@ -0,0 +1,2 @@
+--format specdoc
+--colour

data/spec/spec_helper.rb

@@ -0,0 +1,33 @@
+require "rubygems"
+
+# Use current merb-core sources if running from a typical dev checkout.
+lib = File.expand_path('../../../merb-core/lib', __FILE__)
+$LOAD_PATH.unshift(lib) if File.directory?(lib)
+require 'merb-core'
+
+# The lib under test
+require "merb-param-protection"
+
+# Satisfies Autotest and anyone else not using the Rake tasks
+require 'spec'
+
+
+Spec::Runner.configure do |config|
+  config.include(Merb::Test::ViewHelper)
+  config.include(Merb::Test::RouteHelper)
+  config.include(Merb::Test::ControllerHelper)
+end
+
+def new_controller(action = 'index', controller = nil, additional_params = {})
+  request = OpenStruct.new
+  request.params = {:action => action, :controller => (controller.to_s || "Test")}
+  request.params.update(additional_params)
+  request.cookies = {}
+  request.accept ||= '*/*'
+  
+  yield request if block_given?
+  
+  response = OpenStruct.new
+  response.read = ""
+  (controller || Merb::Controller).build(request, response)
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: merb-param-protection
 version: !ruby/object:Gem::Version 
-  version: 1.0.15
+  version: 1.1.0.pre
 platform: ruby
 authors: 
 - Lance Carlson
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-11-04 00:00:00 +00:00
+date: 2010-02-20 00:00:00 +00:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -20,30 +20,45 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: 1.0.15
+        version: 1.1.0.pre
     version: 
-description: Merb plugin that provides params_accessible and params_protected class methods
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.2.9
+    version: 
+description: Merb plugin that helps protecting sensible parameters
 email: lancecarlson@gmail.com
 executables: []
 
 extensions: []
 
 extra_rdoc_files: 
-- README
 - LICENSE
+- README
+- TODO
 files: 
 - LICENSE
 - README
 - Rakefile
-- lib/merb-param-protection/merbtasks.rb
+- TODO
 - lib/merb-param-protection.rb
+- lib/merb-param-protection/version.rb
+- spec/merb_param_protection_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
 has_rdoc: true
-homepage: http://merbivore.com
+homepage: http://merbivore.com/
 licenses: []
 
 post_install_message: 
-rdoc_options: []
-
+rdoc_options: 
+- --charset=UTF-8
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
@@ -54,13 +69,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
   version: 
 required_rubygems_version: !ruby/object:Gem::Requirement 
   requirements: 
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version 
-      version: "0"
+      version: 1.3.1
   version: 
 requirements: []
 
-rubyforge_project: merb
+rubyforge_project: 
 rubygems_version: 1.3.5
 signing_key: 
 specification_version: 3

data/lib/merb-param-protection/merbtasks.rb

@@ -1,6 +0,0 @@
-# namespace :merb_param_protection do
-#   desc "Do something for merb_param_protection"
-#   task :default do
-#     puts "merb_param_protection doesn't do anything"
-#   end
-# end