merb-param-protection 1.1.0 → 1.1.1

Sign up to get free protection for your applications and to get access to all the features.
data/Rakefile CHANGED
@@ -1,45 +1,9 @@
1
1
  require 'rubygems'
2
2
  require 'rake'
3
3
 
4
- # Assume a typical dev checkout to fetch the current merb-core version
5
- require File.expand_path('../../merb-core/lib/merb-core/version', __FILE__)
6
-
7
4
  # Load this library's version information
8
5
  require File.expand_path('../lib/merb-param-protection/version', __FILE__)
9
6
 
10
- begin
11
-
12
- gem 'jeweler', '~> 1.4'
13
- require 'jeweler'
14
-
15
- Jeweler::Tasks.new do |gemspec|
16
-
17
- gemspec.version = Merb::ParamProtection::VERSION.dup
18
-
19
- gemspec.name = "merb-param-protection"
20
- gemspec.description = "Merb plugin that helps protecting sensible parameters"
21
- gemspec.summary = "Merb plugin that provides params_accessible and params_protected class methods"
22
-
23
- gemspec.authors = [ "Lance Carlson" ]
24
- gemspec.email = "lancecarlson@gmail.com"
25
- gemspec.homepage = "http://merbivore.com/"
26
-
27
- gemspec.files = %w(LICENSE Rakefile README TODO) + Dir['{lib,spec}/**/*']
28
-
29
- # Runtime dependencies
30
- gemspec.add_dependency 'merb-core', "~> #{Merb::VERSION}"
31
-
32
- # Development dependencies
33
- gemspec.add_development_dependency 'rspec', '>= 1.2.9'
34
-
35
- end
36
-
37
- Jeweler::GemcutterTasks.new
38
-
39
- rescue LoadError
40
- puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
41
- end
42
-
43
7
  require 'spec/rake/spectask'
44
8
  Spec::Rake::SpecTask.new(:spec) do |spec|
45
9
  spec.spec_opts << '--options' << 'spec/spec.opts' if File.exists?('spec/spec.opts')
@@ -1,37 +1,5 @@
1
1
  require "merb-core"
2
2
 
3
- # This plugin exposes two new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
4
-
5
- # Setup:
6
- # The request sets:
7
- # params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
8
- #
9
- # Example 1: params_accessable
10
- # MyController < Application
11
- # params_accessible :post => [:title, :body]
12
- # end
13
-
14
- # params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
15
-
16
- # So we see that params_accessible removes everything except what is explictly specified.
17
-
18
- # Example 2: params_protected
19
- # MyOtherController < Application
20
- # params_protected :post => [:status, :author_id]
21
- # end
22
-
23
- # params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
24
-
25
- # We also see that params_protected removes ONLY those parameters explicitly specified.
26
-
27
-
28
- # Merb gives you a Merb::Plugins.config hash...feel free to put your stuff in your piece of it
29
- #Merb::Plugins.config[:merb_param_protection] = {
30
- #:chickens => false
31
- #}
32
-
33
- #Merb::Plugins.add_rakefiles "merb_param_protection/merbtasks"
34
-
35
3
  module Merb
36
4
  module ParamsFilter
37
5
  module ControllerMixin
@@ -49,30 +17,66 @@ module Merb
49
17
  end
50
18
 
51
19
  module ClassMethods
20
+
52
21
  # Ensures these parameters are sent for the object
53
22
  #
54
- # params_accessible :post => [:title, :body]
23
+ # ==== Parameters
24
+ # args:: Params that will be filtered
55
25
  #
26
+ # ==== Example
27
+ # # The request sets:
28
+ # params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
29
+ #
30
+ # MyController < Application
31
+ # params_accessible :post => [:title, :body]
32
+ # end
33
+ #
34
+ # params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
35
+ #
36
+ # So we see that params_accessible removes everything except what is explictly specified.
37
+ #
38
+ # :api: public
56
39
  def params_accessible(args = {})
57
40
  assign_filtered_params(:accessible_params_args, args)
58
41
  end
59
42
 
60
43
  # Protects parameters of an object
61
44
  #
62
- # params_protected :post => [:status, :author_id]
45
+ # ==== Parameters
46
+ # args:: Params that will be filtered
47
+ #
48
+ # ==== Example
49
+ # # The request sets:
50
+ # params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
51
+ #
52
+ # MyController < Application
53
+ # params_protected :post => [:status, :author_id]
54
+ # end
55
+ #
56
+ # params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
63
57
  #
58
+ # So we see that params_protected removes ONLY those parameters explicitly specified.
59
+ #
60
+ # :api: public
64
61
  def params_protected(args = {})
65
62
  assign_filtered_params(:protected_params_args, args)
66
63
  end
67
64
 
68
65
  # Filters parameters out from the default log string
69
- # Params will still be passed to the controller properly, they will
70
- # show up as [FILTERED] in the merb logs.
71
66
  #
72
- # log_params_filtered :password, 'token'
67
+ # Params will still be passed to the controller properly, they will
68
+ # show up as [FILTERED] in the merb logs.
69
+ #
70
+ # ==== Parameters
71
+ # args:: Params that will be filtered
73
72
  #
73
+ # ==== Example
74
+ # log_params_filtered :password, 'token'
75
+ #
76
+ # :api: public
74
77
  def log_params_filtered(*args)
75
- self.log_params_args = args.collect { |arg| arg.to_sym }
78
+ self.log_params_args ||= []
79
+ self.log_params_args += args.collect { |arg| arg.to_s }
76
80
  end
77
81
 
78
82
  private
@@ -121,7 +125,6 @@ module Merb
121
125
  end
122
126
  end
123
127
  end
124
-
125
128
  end
126
129
 
127
130
  module RequestMixin
@@ -129,8 +132,14 @@ module Merb
129
132
 
130
133
  # Removes specified parameters of an object
131
134
  #
135
+ # ==== Parameters
136
+ # obj<Symbol>:: Params key
137
+ # attrs<Array>:: Attributes to restrict
138
+ #
139
+ # ==== Example
132
140
  # remove_params_from_object(:post, [:status, :author_id])
133
141
  #
142
+ # :api: plugin
134
143
  def remove_params_from_object(obj, attrs = [])
135
144
  unless params[obj].nil?
136
145
  filtered = params
@@ -141,8 +150,14 @@ module Merb
141
150
 
142
151
  # Restricts parameters of an object
143
152
  #
153
+ # ==== Parameters
154
+ # obj<Symbol>:: Params key
155
+ # attrs<Array>:: Attributes to restrict
156
+ #
157
+ # ==== Example
144
158
  # restrict_params(:post, [:title, :body])
145
159
  #
160
+ # :api: plugin
146
161
  def restrict_params(obj, attrs = [])
147
162
  # Make sure the params for the object exists
148
163
  unless params[obj].nil?
@@ -168,11 +183,12 @@ Merb::Controller.send(:include, Merb::ParamsFilter::ControllerMixin)
168
183
  Merb::Request.send(:include, Merb::ParamsFilter::RequestMixin)
169
184
 
170
185
  class Merb::Controller
186
+ # Filters parameters so they are not showed in logs
171
187
  def self._filter_params(params)
172
188
  return params if self.log_params_args.nil?
173
189
  result = { }
174
190
  params.each do |k,v|
175
- result[k] = (self.log_params_args.include?(k.to_sym) ? '[FILTERED]' : v)
191
+ result[k] = (self.log_params_args.include?(k.to_s) ? '[FILTERED]' : v)
176
192
  end
177
193
  result
178
194
  end
@@ -1,5 +1,5 @@
1
1
  module Merb
2
2
  module ParamProtection
3
- VERSION = '1.1.0'.freeze
3
+ VERSION = '1.1.1'.freeze
4
4
  end
5
5
  end
@@ -0,0 +1,20 @@
1
+ class LogParamsFiltered < Merb::Controller
2
+ log_params_filtered :password, :password_confirmation
3
+ log_params_filtered :card_number
4
+ # log_params_filtered :user => [:age]
5
+
6
+ def index
7
+ params
8
+ end
9
+ end
10
+
11
+ class ParamsAccessibleController < Merb::Controller
12
+ params_accessible :customer => [:name, :phone, :email], :address => [:street, :zip]
13
+ params_accessible :post => [:title, :body]
14
+ def create; end
15
+ end
16
+
17
+ class ParamsProtectedController < Merb::Controller
18
+ params_protected :customer => [:activated?, :password], :address => [:long, :lat]
19
+ def create; end
20
+ end
@@ -1,88 +1,83 @@
1
1
  require 'spec_helper'
2
2
 
3
3
  describe "merb-param-protection" do
4
- describe "Controller", "parameter filtering" do
5
- describe "accessible parameters" do
6
- class ParamsAccessibleController < Merb::Controller
7
- params_accessible :customer => [:name, :phone, :email], :address => [:street, :zip]
8
- params_accessible :post => [:title, :body]
9
- def create; end
10
- end
11
-
12
- class ParamsProtectedController < Merb::Controller
13
- params_protected :customer => [:activated?, :password], :address => [:long, :lat]
14
- def update; end
15
- end
16
-
17
-
18
- it "should store the accessible parameters for that controller" do
19
- pending
20
- @params_accessible_controller = ParamsAccessibleController.new( fake_request )
21
- @params_accessible_controller.stub!(:initialize_params_filter)
22
-
23
- # FIXME : this call to dispatch is where I break
24
- @params_accessible_controller.dispatch('create')
25
- @params_accessible_controller.accessible_params_args.should == {
26
- :address=> [:street, :zip], :post=> [:title, :body], :customer=> [:name, :phone, :email]
27
- }
28
- end
29
-
30
- it "should remove the parameters from the request that are not accessible" do
31
- pending
32
- @params_accessible_controller = ParamsAccessibleController.new( fake_request )
33
- # FIXME : this call to dispatch is where I break
34
- @params_accessible_controller.dispatch('create')
35
- end
4
+ describe "Controller" do
5
+ it "should store the accessible parameters for that controller" do
6
+ dispatch_to(ParamsAccessibleController, :create).send(:accessible_params_args).should == {
7
+ :address=> [:street, :zip], :post=> [:title, :body], :customer=> [:name, :phone, :email]
8
+ }
36
9
  end
37
-
38
- describe "protected parameters" do
39
- before(:each) do
40
- pending
41
- @params_protected_controller = ParamsProtectedController.new( fake_request )
42
- # FIXME : this call to dispatch is where I break
43
- #@params_protected_controller.dispatch('update')
44
- end
45
-
46
- it "should store the protected parameters for that controller" do
47
- @params_protected_controller.protected_params_args.should == {
48
- :address=> [:long, :lat], :customer=> [:activated?, :password]
49
- }
50
- end
10
+
11
+ it "should store the protected parameters for that controller" do
12
+ dispatch_to(ParamsProtectedController, :create).send(:protected_params_args).should == {
13
+ :address=> [:long, :lat], :customer=> [:activated?, :password]
14
+ }
51
15
  end
52
16
 
53
- describe "param clash prevention" do
54
- it "should raise an error 'cannot make accessible'" do
55
- lambda {
56
- class TestAccessibleController < Merb::Controller
57
- params_protected :customer => [:password]
58
- params_accessible :customer => [:name, :phone, :email]
59
- def index; end
60
- end
61
- }.should raise_error(/Cannot make accessible a controller \(.*?TestAccessibleController\) that is already protected/)
62
- # TODO "#<Class:0xa9c598c>::TestProtectedController" is generated in ruby 1.9
63
- end
64
-
65
- it "should raise an error 'cannot protect'" do
66
- lambda {
67
- class TestProtectedController < Merb::Controller
68
- params_accessible :customer => [:name, :phone, :email]
69
- params_protected :customer => [:password]
70
- def index; end
71
- end
72
- }.should raise_error(/Cannot protect controller \(.*?TestProtectedController\) that is already accessible/)
73
- # TODO "#<Class:0x92bfbd4>::TestProtectedController" is generated in ruby 1.9
74
- end
17
+ it "should remove the parameters from the request that are not accessible" do
18
+ c = dispatch_to(ParamsAccessibleController, :create,
19
+ :customer => {:name => "teamon", :phone => "123456789", :email => "my@mail", :activated? => "yes", :password => "secret"},
20
+ :address => {:street => "Merb Street 4", :zip => "98765", :long => "Meeeeerrrrrrbbbb sooo looong", :lat => "123"},
21
+ :post => {:title => "First port", :body => "Some long lorem ipsum stuff", :date => "today"}
22
+ )
23
+ c.params[:customer][:name].should == "teamon"
24
+ c.params[:customer][:phone].should == "123456789"
25
+ c.params[:customer][:email].should == "my@mail"
26
+ c.params[:customer].should_not have_key(:activated?)
27
+ c.params[:customer].should_not have_key(:password)
28
+ c.params[:address][:street].should == "Merb Street 4"
29
+ c.params[:address][:zip].should == "98765"
30
+ c.params[:address].should_not have_key(:long)
31
+ c.params[:address].should_not have_key(:lat)
32
+ c.params[:post][:title].should == "First port"
33
+ c.params[:post][:body].should == "Some long lorem ipsum stuff"
34
+ c.params[:post].should_not have_key(:date)
35
+ end
36
+
37
+ it "should remove the parameters from the request that are protected" do
38
+ c = dispatch_to(ParamsProtectedController, :create,
39
+ :customer => {:name => "teamon", :phone => "123456789", :email => "my@mail", :activated? => "yes", :password => "secret"},
40
+ :address => {:street => "Merb Street 4", :zip => "98765", :long => "Meeeeerrrrrrbbbb sooo looong", :lat => "123"},
41
+ :post => {:title => "First port", :body => "Some long lorem ipsum stuff", :date => "today"}
42
+ )
43
+ c.params[:customer][:name].should == "teamon"
44
+ c.params[:customer][:phone].should == "123456789"
45
+ c.params[:customer][:email].should == "my@mail"
46
+ c.params[:customer].should_not have_key(:activated?)
47
+ c.params[:customer].should_not have_key(:password)
48
+ c.params[:address][:street].should == "Merb Street 4"
49
+ c.params[:address][:zip].should == "98765"
50
+ c.params[:address].should_not have_key(:long)
51
+ c.params[:address].should_not have_key(:lat)
52
+ c.params[:post][:title].should == "First port"
53
+ c.params[:post][:body].should == "Some long lorem ipsum stuff"
54
+ c.params[:post][:date].should == "today"
75
55
  end
76
56
  end
77
57
 
78
- describe "param filtering" do
79
- before(:each) do
80
- Merb::Router.prepare do
81
- @test_route = match("/the/:place/:goes/here").to(:controller => "Test", :action => "show").name(:test)
82
- @default_route = default_routes
83
- end
58
+ describe "param clash prevention" do
59
+ it "should raise an error 'cannot make accessible'" do
60
+ lambda {
61
+ class TestAccessibleController < Merb::Controller
62
+ params_protected :customer => [:password]
63
+ params_accessible :customer => [:name, :phone, :email]
64
+ def index; end
65
+ end
66
+ }.should raise_error(/Cannot make accessible a controller \(.*?TestAccessibleController\) that is already protected/)
84
67
  end
85
68
 
69
+ it "should raise an error 'cannot protect'" do
70
+ lambda {
71
+ class TestProtectedController < Merb::Controller
72
+ params_accessible :customer => [:name, :phone, :email]
73
+ params_protected :customer => [:password]
74
+ def index; end
75
+ end
76
+ }.should raise_error(/Cannot protect controller \(.*?TestProtectedController\) that is already accessible/)
77
+ end
78
+ end
79
+
80
+ describe "param filtering" do
86
81
  it "should remove specified params" do
87
82
  post_body = "post[title]=hello%20there&post[body]=some%20text&post[status]=published&post[author_id]=1&commit=Submit"
88
83
  request = fake_request( {:request_method => 'POST'}, {:post_body => post_body})
@@ -111,4 +106,25 @@ describe "merb-param-protection" do
111
106
  Merb::Controller.callable_actions.should be_empty
112
107
  end
113
108
 
109
+ describe "log params filtering" do
110
+ it "should filter params" do
111
+ c = dispatch_to(LogParamsFiltered, :index, :password => "topsecret", :password_confirmation => "topsecret",
112
+ :card_number => "1234567890", :other => "not so secret")
113
+ c.params[:password].should == "topsecret"
114
+ c.params[:password_confirmation].should == "topsecret"
115
+ c.params[:card_number].should == "1234567890"
116
+ c.params[:other].should == "not so secret"
117
+
118
+ filtered = c.class._filter_params(c.params)
119
+ filtered["password"].should == "[FILTERED]"
120
+ filtered["password_confirmation"].should == "[FILTERED]"
121
+ filtered["card_number"].should == "[FILTERED]"
122
+ filtered["other"].should == "not so secret"
123
+ end
124
+ end
125
+
114
126
  end
127
+
128
+
129
+
130
+
data/spec/spec_helper.rb CHANGED
@@ -11,23 +11,12 @@ require "merb-param-protection"
11
11
  # Satisfies Autotest and anyone else not using the Rake tasks
12
12
  require 'spec'
13
13
 
14
+ # Additional files required for specs
15
+ require "controllers/param_protection"
14
16
 
15
- Spec::Runner.configure do |config|
16
- config.include(Merb::Test::ViewHelper)
17
- config.include(Merb::Test::RouteHelper)
18
- config.include(Merb::Test::ControllerHelper)
19
- end
17
+ Merb.start :environment => 'test'
20
18
 
21
- def new_controller(action = 'index', controller = nil, additional_params = {})
22
- request = OpenStruct.new
23
- request.params = {:action => action, :controller => (controller.to_s || "Test")}
24
- request.params.update(additional_params)
25
- request.cookies = {}
26
- request.accept ||= '*/*'
27
-
28
- yield request if block_given?
29
-
30
- response = OpenStruct.new
31
- response.read = ""
32
- (controller || Merb::Controller).build(request, response)
19
+ Spec::Runner.configure do |config|
20
+ config.include Merb::Test::ControllerHelper
21
+ config.include Merb::Test::RequestHelper
33
22
  end
metadata CHANGED
@@ -1,12 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: merb-param-protection
3
3
  version: !ruby/object:Gem::Version
4
+ hash: 17
4
5
  prerelease: false
5
6
  segments:
6
7
  - 1
7
8
  - 1
8
- - 0
9
- version: 1.1.0
9
+ - 1
10
+ version: 1.1.1
10
11
  platform: ruby
11
12
  authors:
12
13
  - Lance Carlson
@@ -14,30 +15,34 @@ autorequire:
14
15
  bindir: bin
15
16
  cert_chain: []
16
17
 
17
- date: 2010-03-22 00:00:00 +00:00
18
+ date: 2010-06-15 00:00:00 +01:00
18
19
  default_executable:
19
20
  dependencies:
20
21
  - !ruby/object:Gem::Dependency
21
22
  name: merb-core
22
23
  prerelease: false
23
24
  requirement: &id001 !ruby/object:Gem::Requirement
25
+ none: false
24
26
  requirements:
25
27
  - - ~>
26
28
  - !ruby/object:Gem::Version
29
+ hash: 17
27
30
  segments:
28
31
  - 1
29
32
  - 1
30
- - 0
31
- version: 1.1.0
33
+ - 1
34
+ version: 1.1.1
32
35
  type: :runtime
33
36
  version_requirements: *id001
34
37
  - !ruby/object:Gem::Dependency
35
38
  name: rspec
36
39
  prerelease: false
37
40
  requirement: &id002 !ruby/object:Gem::Requirement
41
+ none: false
38
42
  requirements:
39
43
  - - ">="
40
44
  - !ruby/object:Gem::Version
45
+ hash: 13
41
46
  segments:
42
47
  - 1
43
48
  - 2
@@ -52,46 +57,51 @@ executables: []
52
57
  extensions: []
53
58
 
54
59
  extra_rdoc_files:
55
- - LICENSE
56
60
  - README
61
+ - LICENSE
57
62
  - TODO
58
63
  files:
59
- - LICENSE
60
- - README
61
64
  - Rakefile
62
- - TODO
63
- - lib/merb-param-protection.rb
64
65
  - lib/merb-param-protection/version.rb
66
+ - lib/merb-param-protection.rb
67
+ - spec/controllers/param_protection.rb
65
68
  - spec/merb_param_protection_spec.rb
66
69
  - spec/spec.opts
67
70
  - spec/spec_helper.rb
71
+ - README
72
+ - LICENSE
73
+ - TODO
68
74
  has_rdoc: true
69
75
  homepage: http://merbivore.com/
70
76
  licenses: []
71
77
 
72
78
  post_install_message:
73
- rdoc_options:
74
- - --charset=UTF-8
79
+ rdoc_options: []
80
+
75
81
  require_paths:
76
82
  - lib
77
83
  required_ruby_version: !ruby/object:Gem::Requirement
84
+ none: false
78
85
  requirements:
79
86
  - - ">="
80
87
  - !ruby/object:Gem::Version
88
+ hash: 3
81
89
  segments:
82
90
  - 0
83
91
  version: "0"
84
92
  required_rubygems_version: !ruby/object:Gem::Requirement
93
+ none: false
85
94
  requirements:
86
95
  - - ">="
87
96
  - !ruby/object:Gem::Version
97
+ hash: 3
88
98
  segments:
89
99
  - 0
90
100
  version: "0"
91
101
  requirements: []
92
102
 
93
103
  rubyforge_project:
94
- rubygems_version: 1.3.6
104
+ rubygems_version: 1.3.7
95
105
  signing_key:
96
106
  specification_version: 3
97
107
  summary: Merb plugin that provides params_accessible and params_protected class methods