merb_param_protection 0.9.2 → 0.9.3
Sign up to get free protection for your applications and to get access to all the features.
- data/README +11 -1
- data/Rakefile +2 -2
- data/lib/merb_param_protection.rb +25 -2
- metadata +4 -4
data/README
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
merb_param_protection
|
|
2
2
|
=================
|
|
3
3
|
|
|
4
|
-
This plugin exposes
|
|
4
|
+
This plugin exposes three new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
|
|
5
5
|
|
|
6
6
|
Setup:
|
|
7
7
|
The request sets:
|
|
@@ -25,3 +25,13 @@ So we see that params_accessible removes everything except what is explictly spe
|
|
|
25
25
|
params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
|
|
26
26
|
|
|
27
27
|
We also see that params_protected removes ONLY those parameters explicitly specified.
|
|
28
|
+
|
|
29
|
+
Sometimes you have certain post parameters that are best left unlogged, we support that too. Your
|
|
30
|
+
actions continue to receive the variable correctly, but the requested parameters are scrubbed
|
|
31
|
+
at log time.
|
|
32
|
+
|
|
33
|
+
MySuperDuperController < Application
|
|
34
|
+
log_params_filtered :password
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
params.inspect # => { :username => 'atmos', :password => '[FILTERED]' }
|
data/Rakefile
CHANGED
|
@@ -4,7 +4,7 @@ require 'spec/rake/spectask'
|
|
|
4
4
|
|
|
5
5
|
PLUGIN = "merb_param_protection"
|
|
6
6
|
NAME = "merb_param_protection"
|
|
7
|
-
VERSION = "0.9.
|
|
7
|
+
VERSION = "0.9.3"
|
|
8
8
|
AUTHOR = "Lance Carlson"
|
|
9
9
|
EMAIL = "lancecarlson@gmail.com"
|
|
10
10
|
HOMEPAGE = "http://merb.devjavu.com"
|
|
@@ -21,7 +21,7 @@ spec = Gem::Specification.new do |s|
|
|
|
21
21
|
s.author = AUTHOR
|
|
22
22
|
s.email = EMAIL
|
|
23
23
|
#s.homepage = HOMEPAGE
|
|
24
|
-
s.add_dependency('merb', '>= 0.9.
|
|
24
|
+
s.add_dependency('merb-core', '>= 0.9.3')
|
|
25
25
|
s.require_path = 'lib'
|
|
26
26
|
s.autorequire = PLUGIN
|
|
27
27
|
s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,specs}/**/*")
|
|
@@ -39,10 +39,12 @@ if defined?(Merb::Plugins)
|
|
|
39
39
|
base.send(:include, InstanceMethods)
|
|
40
40
|
base.send(:class_inheritable_accessor, :accessible_params_args)
|
|
41
41
|
base.send(:class_inheritable_accessor, :protected_params_args)
|
|
42
|
+
base.send(:class_inheritable_accessor, :log_params_args)
|
|
43
|
+
|
|
42
44
|
base.send(:before, :initialize_params_filter)
|
|
43
45
|
end
|
|
44
46
|
|
|
45
|
-
module ClassMethods
|
|
47
|
+
module ClassMethods
|
|
46
48
|
# Ensures these parameters are sent for the object
|
|
47
49
|
#
|
|
48
50
|
# params_accessible :post => [:title, :body]
|
|
@@ -58,6 +60,16 @@ if defined?(Merb::Plugins)
|
|
|
58
60
|
def params_protected(args = {})
|
|
59
61
|
assign_filtered_params(:protected_params_args, args)
|
|
60
62
|
end
|
|
63
|
+
|
|
64
|
+
# Filters parameters out from the default log string
|
|
65
|
+
# Params will still be passed to the controller properly, they will
|
|
66
|
+
# show up as [FILTERED] in the merb logs.
|
|
67
|
+
#
|
|
68
|
+
# log_params_filtered :password, 'token'
|
|
69
|
+
#
|
|
70
|
+
def log_params_filtered(*args)
|
|
71
|
+
self.log_params_args = args.collect { |arg| arg.to_sym }
|
|
72
|
+
end
|
|
61
73
|
|
|
62
74
|
private
|
|
63
75
|
|
|
@@ -113,7 +125,7 @@ if defined?(Merb::Plugins)
|
|
|
113
125
|
|
|
114
126
|
# Removes specified parameters of an object
|
|
115
127
|
#
|
|
116
|
-
#
|
|
128
|
+
# remove_params_from_object(:post, [:status, :author_id])
|
|
117
129
|
#
|
|
118
130
|
def remove_params_from_object(obj, attrs = [])
|
|
119
131
|
unless params[obj].nil?
|
|
@@ -141,4 +153,15 @@ if defined?(Merb::Plugins)
|
|
|
141
153
|
|
|
142
154
|
Merb::Controller.send(:include, Merb::ParamsFilter::ControllerMixin)
|
|
143
155
|
Merb::Request.send(:include, Merb::ParamsFilter::RequestMixin)
|
|
156
|
+
|
|
157
|
+
class Merb::Controller
|
|
158
|
+
def self._filter_params(params)
|
|
159
|
+
return params if self.log_params_args.nil?
|
|
160
|
+
result = { }
|
|
161
|
+
params.each do |k,v|
|
|
162
|
+
result[k] = (self.log_params_args.include?(k.to_sym) ? '[FILTERED]' : v)
|
|
163
|
+
end
|
|
164
|
+
result
|
|
165
|
+
end
|
|
166
|
+
end
|
|
144
167
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: merb_param_protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.
|
|
4
|
+
version: 0.9.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lance Carlson
|
|
@@ -9,17 +9,17 @@ autorequire: merb_param_protection
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2008-
|
|
12
|
+
date: 2008-05-04 00:00:00 -05:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
|
-
name: merb
|
|
16
|
+
name: merb-core
|
|
17
17
|
version_requirement:
|
|
18
18
|
version_requirements: !ruby/object:Gem::Requirement
|
|
19
19
|
requirements:
|
|
20
20
|
- - ">="
|
|
21
21
|
- !ruby/object:Gem::Version
|
|
22
|
-
version: 0.9.
|
|
22
|
+
version: 0.9.3
|
|
23
23
|
version:
|
|
24
24
|
description: Merb plugin that provides params_accessible and params_protected class methods
|
|
25
25
|
email: lancecarlson@gmail.com
|