merb_param_protection 0.9.2 → 0.9.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README +11 -1
- data/Rakefile +2 -2
- data/lib/merb_param_protection.rb +25 -2
- metadata +4 -4
data/README
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
merb_param_protection
|
|
2
2
|
=================
|
|
3
3
|
|
|
4
|
-
This plugin exposes
|
|
4
|
+
This plugin exposes three new controller methods which allow us to simply and flexibly filter the parameters available within the controller.
|
|
5
5
|
|
|
6
6
|
Setup:
|
|
7
7
|
The request sets:
|
|
@@ -25,3 +25,13 @@ So we see that params_accessible removes everything except what is explictly spe
|
|
|
25
25
|
params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }
|
|
26
26
|
|
|
27
27
|
We also see that params_protected removes ONLY those parameters explicitly specified.
|
|
28
|
+
|
|
29
|
+
Sometimes you have certain post parameters that are best left unlogged, we support that too. Your
|
|
30
|
+
actions continue to receive the variable correctly, but the requested parameters are scrubbed
|
|
31
|
+
at log time.
|
|
32
|
+
|
|
33
|
+
MySuperDuperController < Application
|
|
34
|
+
log_params_filtered :password
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
params.inspect # => { :username => 'atmos', :password => '[FILTERED]' }
|
data/Rakefile
CHANGED
|
@@ -4,7 +4,7 @@ require 'spec/rake/spectask'
|
|
|
4
4
|
|
|
5
5
|
PLUGIN = "merb_param_protection"
|
|
6
6
|
NAME = "merb_param_protection"
|
|
7
|
-
VERSION = "0.9.
|
|
7
|
+
VERSION = "0.9.3"
|
|
8
8
|
AUTHOR = "Lance Carlson"
|
|
9
9
|
EMAIL = "lancecarlson@gmail.com"
|
|
10
10
|
HOMEPAGE = "http://merb.devjavu.com"
|
|
@@ -21,7 +21,7 @@ spec = Gem::Specification.new do |s|
|
|
|
21
21
|
s.author = AUTHOR
|
|
22
22
|
s.email = EMAIL
|
|
23
23
|
#s.homepage = HOMEPAGE
|
|
24
|
-
s.add_dependency('merb', '>= 0.9.
|
|
24
|
+
s.add_dependency('merb-core', '>= 0.9.3')
|
|
25
25
|
s.require_path = 'lib'
|
|
26
26
|
s.autorequire = PLUGIN
|
|
27
27
|
s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,specs}/**/*")
|
|
@@ -39,10 +39,12 @@ if defined?(Merb::Plugins)
|
|
|
39
39
|
base.send(:include, InstanceMethods)
|
|
40
40
|
base.send(:class_inheritable_accessor, :accessible_params_args)
|
|
41
41
|
base.send(:class_inheritable_accessor, :protected_params_args)
|
|
42
|
+
base.send(:class_inheritable_accessor, :log_params_args)
|
|
43
|
+
|
|
42
44
|
base.send(:before, :initialize_params_filter)
|
|
43
45
|
end
|
|
44
46
|
|
|
45
|
-
module ClassMethods
|
|
47
|
+
module ClassMethods
|
|
46
48
|
# Ensures these parameters are sent for the object
|
|
47
49
|
#
|
|
48
50
|
# params_accessible :post => [:title, :body]
|
|
@@ -58,6 +60,16 @@ if defined?(Merb::Plugins)
|
|
|
58
60
|
def params_protected(args = {})
|
|
59
61
|
assign_filtered_params(:protected_params_args, args)
|
|
60
62
|
end
|
|
63
|
+
|
|
64
|
+
# Filters parameters out from the default log string
|
|
65
|
+
# Params will still be passed to the controller properly, they will
|
|
66
|
+
# show up as [FILTERED] in the merb logs.
|
|
67
|
+
#
|
|
68
|
+
# log_params_filtered :password, 'token'
|
|
69
|
+
#
|
|
70
|
+
def log_params_filtered(*args)
|
|
71
|
+
self.log_params_args = args.collect { |arg| arg.to_sym }
|
|
72
|
+
end
|
|
61
73
|
|
|
62
74
|
private
|
|
63
75
|
|
|
@@ -113,7 +125,7 @@ if defined?(Merb::Plugins)
|
|
|
113
125
|
|
|
114
126
|
# Removes specified parameters of an object
|
|
115
127
|
#
|
|
116
|
-
#
|
|
128
|
+
# remove_params_from_object(:post, [:status, :author_id])
|
|
117
129
|
#
|
|
118
130
|
def remove_params_from_object(obj, attrs = [])
|
|
119
131
|
unless params[obj].nil?
|
|
@@ -141,4 +153,15 @@ if defined?(Merb::Plugins)
|
|
|
141
153
|
|
|
142
154
|
Merb::Controller.send(:include, Merb::ParamsFilter::ControllerMixin)
|
|
143
155
|
Merb::Request.send(:include, Merb::ParamsFilter::RequestMixin)
|
|
156
|
+
|
|
157
|
+
class Merb::Controller
|
|
158
|
+
def self._filter_params(params)
|
|
159
|
+
return params if self.log_params_args.nil?
|
|
160
|
+
result = { }
|
|
161
|
+
params.each do |k,v|
|
|
162
|
+
result[k] = (self.log_params_args.include?(k.to_sym) ? '[FILTERED]' : v)
|
|
163
|
+
end
|
|
164
|
+
result
|
|
165
|
+
end
|
|
166
|
+
end
|
|
144
167
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: merb_param_protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.
|
|
4
|
+
version: 0.9.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lance Carlson
|
|
@@ -9,17 +9,17 @@ autorequire: merb_param_protection
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2008-
|
|
12
|
+
date: 2008-05-04 00:00:00 -05:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
|
-
name: merb
|
|
16
|
+
name: merb-core
|
|
17
17
|
version_requirement:
|
|
18
18
|
version_requirements: !ruby/object:Gem::Requirement
|
|
19
19
|
requirements:
|
|
20
20
|
- - ">="
|
|
21
21
|
- !ruby/object:Gem::Version
|
|
22
|
-
version: 0.9.
|
|
22
|
+
version: 0.9.3
|
|
23
23
|
version:
|
|
24
24
|
description: Merb plugin that provides params_accessible and params_protected class methods
|
|
25
25
|
email: lancecarlson@gmail.com
|