merb_param_protection 0.5.0

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Lance Carlson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,27 @@
+merb_param_protection
+=================
+
+This plugin exposes two new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
+
+Setup:
+The request sets: 
+
+  params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
+
+  Example 1: params_accessable
+  MyController < Application
+    params_accessible :post => [:title, :body]
+  end
+
+  params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
+
+So we see that params_accessible removes everything except what is explictly specified.
+
+  Example 2: params_protected
+  MyOtherController < Application
+    params_protected :post => [:status, :author_id]
+  end
+
+  params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
+
+We also see that params_protected removes ONLY those parameters explicitly specified.

data/Rakefile

@@ -0,0 +1,56 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+require 'spec/rake/spectask'
+
+PLUGIN = "merb_param_protection"
+NAME = "merb_param_protection"
+VERSION = "0.5.0"
+AUTHOR = "Lance Carlson"
+EMAIL = "lancecarlson@gmail.com"
+HOMEPAGE = "http://merb.devjavu.com"
+SUMMARY = "Merb plugin that provides params_accessible and params_protected class methods"
+
+spec = Gem::Specification.new do |s|
+  s.name = NAME
+  s.version = VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README", "LICENSE", 'TODO']
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.author = AUTHOR
+  s.email = EMAIL
+  #s.homepage = HOMEPAGE
+  s.add_dependency('merb', '>= 0.4.0')
+  s.require_path = 'lib'
+  s.autorequire = PLUGIN
+  s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,specs}/**/*")
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+task :install => [:package] do
+  sh %{sudo gem install pkg/#{NAME}-#{VERSION}}
+end
+
+task :release => :package do
+  sh %{rubyforge add_release merb #{PLUGIN} #{VERSION} pkg/#{NAME}-#{VERSION}.gem}
+end
+
+desc "Run all specs"
+Spec::Rake::SpecTask.new('specs') do |t|
+  t.spec_opts = ["--format", "specdoc", "--colour"]
+  t.spec_files = Dir['spec/**/*_spec.rb'].sort
+end
+
+desc "RCov"
+Spec::Rake::SpecTask.new("rcov") do |t|
+  t.rcov_opts = ["--exclude", "gems", "--exclude", "spec"]
+  t.spec_opts = ["--format", "specdoc", "--colour"]
+  t.rcov_opts = ["--exclude","gems", "--exclude", "spec"]
+  t.spec_files = Dir["spec/**/*_spec.rb"].sort
+  t.libs = ["lib", "server/lib" ]
+  t.rcov = true
+end

data/TODO

@@ -0,0 +1,4 @@
+TODO:
+DRY up the code
+Finish spec'ing
+Allow specification of any parameter?

data/lib/merb_param_protection/merbtasks.rb

@@ -0,0 +1,6 @@
+namespace :merb_param_protection do
+  desc "Do something for merb_param_protection"
+  task :default do
+    puts "merb_param_protection doesn't do anything"
+  end
+end

data/lib/merb_param_protection.rb

@@ -0,0 +1,144 @@
+# This plugin exposes two new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
+
+# Setup:
+# The request sets: 
+# params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }
+#
+# Example 1: params_accessable
+# MyController < Application
+#   params_accessible :post => [:title, :body]
+# end
+
+# params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
+
+# So we see that params_accessible removes everything except what is explictly specified.
+
+# Example 2: params_protected
+# MyOtherController < Application
+#   params_protected :post => [:status, :author_id]
+# end
+
+# params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
+
+# We also see that params_protected removes ONLY those parameters explicitly specified.
+
+if defined?(Merb::Plugins)
+
+  # Merb gives you a Merb::Plugins.config hash...feel free to put your stuff in your piece of it
+  #Merb::Plugins.config[:merb_param_protection] = {
+    #:chickens => false
+  #}
+  
+  #Merb::Plugins.add_rakefiles "merb_param_protection/merbtasks"
+  
+  module Merb
+    module ParamsFilter
+      module ControllerMixin
+        def self.included(base)
+          base.send(:extend, ClassMethods)
+          base.send(:include, InstanceMethods)
+          base.send(:class_inheritable_accessor, :accessible_params_args)
+          base.send(:class_inheritable_accessor, :protected_params_args)
+          base.send(:before, :initialize_params_filter)
+        end
+
+        module ClassMethods          
+          # Ensures these parameters are sent for the object
+          # 
+          #   params_accessible :post => [:title, :body]
+          # 
+          def params_accessible(args = {})
+            assign_filtered_params(:accessible_params_args, args)
+          end
+
+          # Protects parameters of an object
+          # 
+          #   params_protected :post => [:status, :author_id]
+          # 
+          def params_protected(args = {})
+            assign_filtered_params(:protected_params_args, args)
+          end
+          
+          private
+          
+          def assign_filtered_params(method, args)
+            validate_filtered_params(method, args)
+            
+            # If the method is nil, set to initial hash, otherwise merge
+            self.send(method).nil? ? self.send(method.to_s + '=', args) : self.send(method).merge!(args)
+          end
+          
+          def validate_filtered_params(method, args)
+            # Reversing methods
+            params_methods = [:accessible_params_args, :protected_params_args]
+            params_methods.delete(method)
+            params_method = params_methods.first
+            
+            # Make sure the opposite method is not nil
+            unless self.send(params_method).nil?
+              # Loop through arg's keys
+              args.keys.each do |key|
+                # If the key exists on the opposite method, raise exception
+                if self.send(params_method).include?(key)
+                  case method
+                  when :accessible_params_args : raise "Cannot make accessible a controller (#{self}) that is already protected"
+                  when :protected_params_args : raise "Cannot protect controller (#{self}) that is already accessible"
+                  end
+                end
+              end
+            end
+          end
+        end
+        
+        module InstanceMethods
+          def initialize_params_filter
+            if accessible_params_args.is_a?(Hash)
+              accessible_params_args.keys.each do |obj|
+                self.request.restrict_params(obj, accessible_params_args[obj])
+              end
+            end
+            
+            if protected_params_args.is_a?(Hash)
+              protected_params_args.keys.each do |obj|
+                self.request.remove_params_from_object(obj, protected_params_args[obj])
+              end
+            end
+          end
+        end
+        
+      end
+
+      module RequestMixin
+        attr_accessor :trashed_params
+
+        # Removes specified parameters of an object
+        # 
+        #   params_filter_from_object(:post, [:status, :author_id])
+        # 
+        def remove_params_from_object(obj, attrs = [])
+          unless params[obj].nil?
+            filtered = params
+            attrs.each {|a| filtered[obj].delete(a)}
+            @params = filtered
+          end
+        end
+
+        # Restricts parameters of an object
+        #
+        #   restrict_params(:post, [:title, :body])
+        # 
+        def restrict_params(obj, attrs = [])
+          # Make sure the params for the object exists
+          unless params[obj].nil?
+            attrs = attrs.collect {|a| a.to_s}
+            @trashed_params = params[obj].keys - attrs
+            remove_params_from_object(obj, trashed_params)
+          end
+        end
+      end
+    end
+  end
+  
+  Merb::Controller.send(:include, Merb::ParamsFilter::ControllerMixin)
+  Merb::Request.send(:include, Merb::ParamsFilter::RequestMixin)
+end

metadata

@@ -0,0 +1,69 @@
+--- !ruby/object:Gem::Specification 
+name: merb_param_protection
+version: !ruby/object:Gem::Version 
+  version: 0.5.0
+platform: ruby
+authors: 
+- Lance Carlson
+autorequire: merb_param_protection
+bindir: bin
+cert_chain: []
+
+date: 2008-01-11 00:00:00 -06:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: merb
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.4.0
+    version: 
+description: Merb plugin that provides params_accessible and params_protected class methods
+email: lancecarlson@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+- LICENSE
+- TODO
+files: 
+- LICENSE
+- README
+- Rakefile
+- TODO
+- lib/merb_param_protection
+- lib/merb_param_protection/merbtasks.rb
+- lib/merb_param_protection.rb
+has_rdoc: true
+homepage: 
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 0.9.5
+signing_key: 
+specification_version: 2
+summary: Merb plugin that provides params_accessible and params_protected class methods
+test_files: []
+