mongomodel 0.5.1 → 0.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d20a72c67b166e32f7b15d679f2be9da9e4aeb9a
-  data.tar.gz: 579a68306b9f69d20e6b18fd1c39dde098a66d50
+  metadata.gz: b6303f96496ed1cb9c8c52316e02c07a7354f06e
+  data.tar.gz: 5ef0ee286e9a51dd9bb42390da710688eadde951
 SHA512:
-  metadata.gz: 4d9493996ffb93bbb4fdb1c26ab3e4ac7311f10b97f10b7873fb443c4624c0972fc536bafae0a3e31e2049a573e612167cbc8c9fdea27f6f05c0808137624523
-  data.tar.gz: b4560d5934a94b17c14505838d2cfded8cdd5bdeb9d54ec000b7f360760b108e043d3d259c1e56133b9b94bf5809e2ceaf2f5bfc104f58349005215cd68b4fc0
+  metadata.gz: d11971bf1bdef7946e7e54ba0c9912566e30008d64df721d1aff9aed17dc833d436a3156d337553d33e78711da0b8048bd3004c337bc0317efb05fdf5ba64326
+  data.tar.gz: a158854ae696e4a0bf4102835e6a6def055bce660f1141716f190e5ab576a79c2ca4793c42dc21d046d9b4d21df0c1e1d4dbc743dc47f4173692dd79ec00ff49

data/.travis.yml

@@ -15,7 +15,6 @@ gemfile:
   - gemfiles/rails-4.0.gemfile
   - gemfiles/rails-4.1.gemfile
   - gemfiles/rails-4-observers.gemfile
-  - gemfiles/rails-4-protected-attributes.gemfile
   - gemfiles/mongo_mapper.gemfile
   - gemfiles/mongoid.gemfile
 
@@ -27,8 +26,6 @@ matrix:
       gemfile: gemfiles/rails-4.1.gemfile
     - rvm: 1.8.7
       gemfile: gemfiles/rails-4-observers.gemfile
-    - rvm: 1.8.7
-      gemfile: gemfiles/rails-4-protected-attributes.gemfile
     - rvm: 1.8.7
       gemfile: gemfiles/mongoid.gemfile
       

data/lib/mongomodel.rb

@@ -6,6 +6,7 @@ require 'mongo'
 require 'mongomodel/support/core_extensions'
 require 'mongomodel/support/exceptions'
 require 'mongomodel/log_subscriber'
+require "mongomodel/vendor/active_model" unless defined?(ActiveModel::MassAssignmentSecurity)
 
 require 'active_support/core_ext/module/attribute_accessors'
 
@@ -15,12 +16,6 @@ rescue LoadError
   # Either ActiveModel < 4 or rails-observers gem is not available
 end
 
-begin
-  require "protected_attributes"
-rescue LoadError
-  # Either ActiveModel < 4 or protected_attributes gem is not available
-end
-
 module MongoModel
   autoload :VERSION,          'mongomodel/version'
   

data/lib/mongomodel/concerns/attribute_methods/protected.rb

@@ -3,29 +3,25 @@ module MongoModel
     module Protected
       extend ActiveSupport::Concern
       
-      if defined?(ActiveModel::MassAssignmentSecurity)
-        include ActiveModel::MassAssignmentSecurity
+      include ActiveModel::MassAssignmentSecurity
 
-        module ClassMethods
-          def property(name, *args, &block)#:nodoc:
-            property = super(name, *args, &block)
+      module ClassMethods
+        def property(name, *args, &block)#:nodoc:
+          property = super(name, *args, &block)
 
-            attr_protected(name) if property.options[:protected]
-            attr_accessible(name) if property.options[:accessible]
-          
-            property
-          end
+          attr_protected(name) if property.options[:protected]
+          attr_accessible(name) if property.options[:accessible]
+        
+          property
         end
-      
-        def assign_attributes(attrs, options={})
-          if options[:without_protection]
-            super
-          else
-            super(sanitize_for_mass_assignment(attrs, options[:as] || :default))
-          end
+      end
+    
+      def assign_attributes(attrs, options={})
+        if options[:without_protection]
+          super
+        else
+          super(sanitize_for_mass_assignment(attrs, options[:as] || :default))
         end
-      elsif defined?(ActiveModel::DeprecatedMassAssignmentSecurity)
-        include ActiveModel::DeprecatedMassAssignmentSecurity
       end
     end
   end

data/lib/mongomodel/vendor/active_model.rb

@@ -0,0 +1,2 @@
+$LOAD_PATH.unshift File.dirname(__FILE__)
+require "active_model/mass_assignment_security"

data/lib/mongomodel/vendor/active_model/mass_assignment_security.rb

@@ -0,0 +1,353 @@
+require 'active_support/concern'
+require 'active_support/core_ext/class/attribute'
+require 'active_support/core_ext/string/inflections'
+require 'active_model'
+require 'active_model/mass_assignment_security/permission_set'
+require 'active_model/mass_assignment_security/sanitizer'
+
+module ActiveModel
+  # == Active Model Mass-Assignment Security
+  #
+  # Mass assignment security provides an interface for protecting attributes
+  # from end-user assignment. For more complex permissions, mass assignment
+  # security may be handled outside the model by extending a non-ActiveRecord
+  # class, such as a controller, with this behavior.
+  #
+  # For example, a logged in user may need to assign additional attributes
+  # depending on their role:
+  #
+  #   class AccountsController < ApplicationController
+  #     include ActiveModel::MassAssignmentSecurity
+  #
+  #     attr_accessible :first_name, :last_name
+  #     attr_accessible :first_name, :last_name, :plan_id, as: :admin
+  #
+  #     def update
+  #       ...
+  #       @account.update_attributes(account_params)
+  #       ...
+  #     end
+  #
+  #     protected
+  #
+  #     def account_params
+  #       role = admin ? :admin : :default
+  #       sanitize_for_mass_assignment(params[:account], role)
+  #     end
+  #
+  #   end
+  #
+  # === Configuration options
+  #
+  # * <tt>mass_assignment_sanitizer</tt> - Defines sanitize method. Possible
+  #   values are:
+  #   * <tt>:logger</tt> (default) - writes filtered attributes to logger
+  #   * <tt>:strict</tt> - raise <tt>ActiveModel::MassAssignmentSecurity::Error</tt>
+  #     on any protected attribute update.
+  #
+  # You can specify your own sanitizer object eg. <tt>MySanitizer.new</tt>.
+  # See <tt>ActiveModel::MassAssignmentSecurity::LoggerSanitizer</tt> for
+  # example implementation.
+  module MassAssignmentSecurity
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_accessible_attributes, :instance_writer => false
+      class_attribute :_protected_attributes,  :instance_writer => false
+      class_attribute :_active_authorizer,     :instance_writer => false
+
+      class_attribute :_mass_assignment_sanitizer, :instance_writer => false
+      self.mass_assignment_sanitizer = :logger
+    end
+
+    module ClassMethods
+      # Attributes named in this macro are protected from mass-assignment
+      # whenever attributes are sanitized before assignment. A role for the
+      # attributes is optional, if no role is provided then <tt>:default</tt>
+      # is used. A role can be defined by using the <tt>:as</tt> option with a
+      # symbol or an array of symbols as the value.
+      #
+      # Mass-assignment to these attributes will simply be ignored, to assign
+      # to them you can use direct writer methods. This is meant to protect
+      # sensitive attributes from being overwritten by malicious users
+      # tampering with URLs or forms.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :email, :logins_count
+      #
+      #     attr_protected :logins_count
+      #     # Suppose that admin can not change email for customer
+      #     attr_protected :logins_count, :email, as: :admin
+      #
+      #     def assign_attributes(values, options = {})
+      #       sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
+      #         send("#{k}=", v)
+      #       end
+      #     end
+      #   end
+      #
+      # When using the <tt>:default</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', email: 'a@b.com', logins_count: 5 }, as: :default)
+      #   customer.name         # => "David"
+      #   customer.email        # => "a@b.com"
+      #   customer.logins_count # => nil
+      #
+      # And using the <tt>:admin</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', email: 'a@b.com', logins_count: 5}, as: :admin)
+      #   customer.name         # => "David"
+      #   customer.email        # => nil
+      #   customer.logins_count # => nil
+      #
+      #   customer.email = 'c@d.com'
+      #   customer.email # => "c@d.com"
+      #
+      # To start from an all-closed default and enable attributes as needed,
+      # have a look at +attr_accessible+.
+      #
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_protected+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
+      def attr_protected(*args)
+        options = args.extract_options!
+        role = options[:as] || :default
+
+        self._protected_attributes = protected_attributes_configs.dup
+
+        Array(role).each do |name|
+          self._protected_attributes[name] = self.protected_attributes(name) + args
+        end
+
+        self._active_authorizer = self._protected_attributes
+      end
+
+      # Specifies a white list of model attributes that can be set via
+      # mass-assignment.
+      #
+      # Like +attr_protected+, a role for the attributes is optional,
+      # if no role is provided then <tt>:default</tt> is used. A role can be
+      # defined by using the <tt>:as</tt> option with a symbol or an array of
+      # symbols as the value.
+      #
+      # This is the opposite of the +attr_protected+ macro: Mass-assignment
+      # will only set attributes in this list, to assign to the rest of
+      # attributes you can use direct writer methods. This is meant to protect
+      # sensitive attributes from being overwritten by malicious users
+      # tampering with URLs or forms. If you'd rather start from an all-open
+      # default and restrict attributes as needed, have a look at
+      # +attr_protected+.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :credit_rating
+      #
+      #     # Both admin and default user can change name of a customer
+      #     attr_accessible :name, as: [:admin, :default]
+      #     # Only admin can change credit rating of a customer
+      #     attr_accessible :credit_rating, as: :admin
+      #
+      #     def assign_attributes(values, options = {})
+      #       sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
+      #         send("#{k}=", v)
+      #       end
+      #     end
+      #   end
+      #
+      # When using the <tt>:default</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', credit_rating: 'Excellent', last_login: 1.day.ago }, as: :default)
+      #   customer.name          # => "David"
+      #   customer.credit_rating # => nil
+      #
+      #   customer.credit_rating = 'Average'
+      #   customer.credit_rating # => "Average"
+      #
+      # And using the <tt>:admin</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', credit_rating: 'Excellent', last_login: 1.day.ago }, as: :admin)
+      #   customer.name          # => "David"
+      #   customer.credit_rating # => "Excellent"
+      #
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_accessible+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
+      def attr_accessible(*args)
+        options = args.extract_options!
+        role = options[:as] || :default
+
+        self._accessible_attributes = accessible_attributes_configs.dup
+
+        Array(role).each do |name|
+          self._accessible_attributes[name] = self.accessible_attributes(name) + args
+        end
+
+        self._active_authorizer = self._accessible_attributes
+      end
+
+      # Returns an instance of <tt>ActiveModel::MassAssignmentSecurity::BlackList</tt>
+      # with the attributes protected by #attr_protected method. If no +role+
+      # is provided, then <tt>:default</tt> is used.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :email, :logins_count
+      #
+      #     attr_protected :logins_count
+      #     attr_protected :logins_count, :email, as: :admin
+      #   end
+      #
+      #   Customer.protected_attributes
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count"}>
+      #
+      #   Customer.protected_attributes(:default)
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count"}>
+      #
+      #   Customer.protected_attributes(:admin)
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count", "email"}>
+      def protected_attributes(role = :default)
+        protected_attributes_configs[role]
+      end
+
+      # Returns an instance of <tt>ActiveModel::MassAssignmentSecurity::WhiteList</tt>
+      # with the attributes protected by #attr_accessible method. If no +role+
+      # is provided, then <tt>:default</tt> is used.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :credit_rating
+      #
+      #     attr_accessible :name, as: [:admin, :default]
+      #     attr_accessible :credit_rating, as: :admin
+      #   end
+      #
+      #   Customer.accessible_attributes
+      #   # => #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name"}>
+      #
+      #   Customer.accessible_attributes(:default)
+      #   # => #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name"}>
+      #
+      #   Customer.accessible_attributes(:admin)
+      #   # => #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name", "credit_rating"}>
+      def accessible_attributes(role = :default)
+        accessible_attributes_configs[role]
+      end
+
+      # Returns a hash with the protected attributes (by #attr_accessible or
+      # #attr_protected) per role.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :credit_rating
+      #
+      #     attr_accessible :name, as: [:admin, :default]
+      #     attr_accessible :credit_rating, as: :admin
+      #   end
+      #
+      #   Customer.active_authorizers
+      #   # => {
+      #   #       :admin=> #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name", "credit_rating"}>,
+      #   #       :default=>#<ActiveModel::MassAssignmentSecurity::WhiteList: {"name"}>
+      #   #    }
+      def active_authorizers
+        self._active_authorizer ||= protected_attributes_configs
+      end
+      alias active_authorizer active_authorizers
+
+      # Returns an empty array by default. You can still override this to define
+      # the default attributes protected by #attr_protected method.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     def self.attributes_protected_by_default
+      #       [:name]
+      #     end
+      #   end
+      #
+      #   Customer.protected_attributes
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {:name}>
+      def attributes_protected_by_default
+        []
+      end
+
+      # Defines sanitize method.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name
+      #
+      #     attr_protected :name
+      #
+      #     def assign_attributes(values)
+      #       sanitize_for_mass_assignment(values).each do |k, v|
+      #         send("#{k}=", v)
+      #       end
+      #     end
+      #   end
+      #
+      #   # See ActiveModel::MassAssignmentSecurity::StrictSanitizer for more information.
+      #   Customer.mass_assignment_sanitizer = :strict
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes(name: 'David')
+      #   # => ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes for Customer: name
+      #
+      # Also, you can specify your own sanitizer object.
+      #
+      #   class CustomSanitizer < ActiveModel::MassAssignmentSecurity::Sanitizer
+      #     def process_removed_attributes(klass, attrs)
+      #       raise StandardError
+      #     end
+      #   end
+      #
+      #   Customer.mass_assignment_sanitizer = CustomSanitizer.new
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes(name: 'David')
+      #   # => StandardError: StandardError
+      def mass_assignment_sanitizer=(value)
+        self._mass_assignment_sanitizer = if value.is_a?(Symbol)
+          const_get(:"#{value.to_s.camelize}Sanitizer").new(self)
+        else
+          value
+        end
+      end
+
+      private
+
+      def protected_attributes_configs
+        self._protected_attributes ||= begin
+          Hash.new { |h,k| h[k] = BlackList.new(attributes_protected_by_default) }
+        end
+      end
+
+      def accessible_attributes_configs
+        self._accessible_attributes ||= begin
+          Hash.new { |h,k| h[k] = WhiteList.new }
+        end
+      end
+    end
+
+  protected
+
+    def sanitize_for_mass_assignment(attributes, role = nil) #:nodoc:
+      _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
+    end
+
+    def mass_assignment_authorizer(role) #:nodoc:
+      self.class.active_authorizer[role || :default]
+    end
+  end
+end

data/lib/mongomodel/vendor/active_model/mass_assignment_security/permission_set.rb

@@ -0,0 +1,40 @@
+require 'set'
+
+module ActiveModel
+  module MassAssignmentSecurity
+    class PermissionSet < Set #:nodoc:
+
+      def +(values)
+        super(values.compact.map(&:to_s))
+      end
+
+      def include?(key)
+        super(remove_multiparameter_id(key))
+      end
+
+      def deny?(key)
+        raise NotImplementedError, "#deny?(key) supposed to be overwritten"
+      end
+
+    protected
+
+      def remove_multiparameter_id(key)
+        key.to_s.gsub(/\(.+/, '')
+      end
+    end
+
+    class WhiteList < PermissionSet #:nodoc:
+
+      def deny?(key)
+        !include?(key)
+      end
+    end
+
+    class BlackList < PermissionSet #:nodoc:
+
+      def deny?(key)
+        include?(key)
+      end
+    end
+  end
+end

data/lib/mongomodel/vendor/active_model/mass_assignment_security/sanitizer.rb

@@ -0,0 +1,74 @@
+module ActiveModel
+  module MassAssignmentSecurity
+    class Sanitizer #:nodoc:
+      # Returns all attributes not denied by the authorizer.
+      def sanitize(klass, attributes, authorizer)
+        rejected = []
+        sanitized_attributes = attributes.reject do |key, value|
+          rejected << key if authorizer.deny?(key)
+        end
+        process_removed_attributes(klass, rejected) unless rejected.empty?
+        sanitized_attributes
+      end
+
+    protected
+
+      def process_removed_attributes(klass, attrs)
+        raise NotImplementedError, "#process_removed_attributes(attrs) suppose to be overwritten"
+      end
+    end
+
+    class LoggerSanitizer < Sanitizer #:nodoc:
+      def initialize(target)
+        @target = target
+        super()
+      end
+
+      def logger
+        @target.logger
+      end
+
+      def logger?
+        @target.respond_to?(:logger) && @target.logger
+      end
+
+      def backtrace
+        if defined? Rails
+          Rails.backtrace_cleaner.clean(caller)
+        else
+          caller
+        end
+      end
+
+      def process_removed_attributes(klass, attrs)
+        if logger?
+          logger.warn do
+            "WARNING: Can't mass-assign protected attributes for #{klass.name}: #{attrs.join(', ')}\n" +
+                backtrace.map { |trace| "\t#{trace}" }.join("\n")
+          end
+        end
+      end
+    end
+
+    class StrictSanitizer < Sanitizer #:nodoc:
+      def initialize(target = nil)
+        super()
+      end
+
+      def process_removed_attributes(klass, attrs)
+        return if (attrs - insensitive_attributes).empty?
+        raise ActiveModel::MassAssignmentSecurity::Error.new(klass, attrs)
+      end
+
+      def insensitive_attributes
+        ['id']
+      end
+    end
+
+    class Error < StandardError #:nodoc:
+      def initialize(klass, attrs)
+        super("Can't mass-assign protected attributes for #{klass.name}: #{attrs.join(', ')}")
+      end
+    end
+  end
+end

data/lib/mongomodel/version.rb

@@ -1,3 +1,3 @@
 module MongoModel
-  VERSION = "0.5.1"
+  VERSION = "0.5.2"
 end

data/spec/mongomodel/concerns/attribute_methods/protected_spec.rb

@@ -1,86 +1,84 @@
 require 'spec_helper'
 
 module MongoModel
-  if ActiveModel::VERSION::STRING < '4.0' || Gem.loaded_specs['protected_attributes']
-    specs_for(Document, EmbeddedDocument) do
-      define_class(:TestDocument, described_class) do
-        property :foo, String
-        property :bar, String
+  specs_for(Document, EmbeddedDocument) do
+    define_class(:TestDocument, described_class) do
+      property :foo, String
+      property :bar, String
+    end
+  
+    subject { TestDocument.new }
+  
+    describe "#attr_protected" do
+      before(:each) do
+        TestDocument.attr_protected :foo
       end
     
-      subject { TestDocument.new }
+      it "disallows the attribute to be mass-assigned via attributes=" do
+        subject.attributes = { :foo => 'value of foo' }
+        subject.foo.should be_nil
+      end
     
-      describe "#attr_protected" do
-        before(:each) do
-          TestDocument.attr_protected :foo
-        end
-      
-        it "disallows the attribute to be mass-assigned via attributes=" do
-          subject.attributes = { :foo => 'value of foo' }
-          subject.foo.should be_nil
-        end
-      
-        it "does not disallow the attribute to be assigned individually" do
-          subject.foo = 'value of foo'
-          subject.foo.should == 'value of foo'
-        end
-      
-        it "does not disallow other attributes to be mass-assigned via attributes=" do
-          subject.attributes = { :bar => 'value of bar' }
-          subject.bar.should == 'value of bar'
-        end
-      
-        it "accepts multiple attributes" do
-          TestDocument.attr_protected :foo, :bar
-        
-          subject.attributes = { :foo => 'value of foo', :bar => 'value of bar' }
-          subject.foo.should be_nil
-          subject.bar.should be_nil
-        end
+      it "does not disallow the attribute to be assigned individually" do
+        subject.foo = 'value of foo'
+        subject.foo.should == 'value of foo'
       end
     
-      describe "#attr_accessible" do
-        before(:each) do
-          TestDocument.attr_accessible :foo
-        end
-      
-        it "allows the attribute to be mass-assigned via attributes=" do
-          subject.attributes = { :foo => 'value of foo' }
-          subject.foo.should == 'value of foo'
-        end
-      
-        it "does not disallow other attributes to be mass-assigned via attributes=" do
-          subject.attributes = { :bar => 'value of bar' }
-          subject.bar.should be_nil
-        end
+      it "does not disallow other attributes to be mass-assigned via attributes=" do
+        subject.attributes = { :bar => 'value of bar' }
+        subject.bar.should == 'value of bar'
+      end
+    
+      it "accepts multiple attributes" do
+        TestDocument.attr_protected :foo, :bar
       
-        it "does not disallow others attributes to be assigned individually" do
-          subject.bar = 'value of bar'
-          subject.bar.should == 'value of bar'
-        end
+        subject.attributes = { :foo => 'value of foo', :bar => 'value of bar' }
+        subject.foo.should be_nil
+        subject.bar.should be_nil
+      end
+    end
+  
+    describe "#attr_accessible" do
+      before(:each) do
+        TestDocument.attr_accessible :foo
+      end
+    
+      it "allows the attribute to be mass-assigned via attributes=" do
+        subject.attributes = { :foo => 'value of foo' }
+        subject.foo.should == 'value of foo'
+      end
+    
+      it "does not disallow other attributes to be mass-assigned via attributes=" do
+        subject.attributes = { :bar => 'value of bar' }
+        subject.bar.should be_nil
+      end
+    
+      it "does not disallow others attributes to be assigned individually" do
+        subject.bar = 'value of bar'
+        subject.bar.should == 'value of bar'
+      end
+    
+      it "accepts multiple attributes" do
+        TestDocument.attr_accessible :foo, :bar
       
-        it "accepts multiple attributes" do
-          TestDocument.attr_accessible :foo, :bar
-        
-          subject.attributes = { :foo => 'value of foo', :bar => 'value of bar' }
-          subject.foo.should == 'value of foo'
-          subject.bar.should == 'value of bar'
+        subject.attributes = { :foo => 'value of foo', :bar => 'value of bar' }
+        subject.foo.should == 'value of foo'
+        subject.bar.should == 'value of bar'
+      end
+    end
+  
+    describe "#property" do
+      context "with :protected option" do
+        it "makes the attribute protected" do
+          TestDocument.should_receive(:attr_protected).with(:baz)
+          TestDocument.property :baz, String, :protected => true
         end
       end
     
-      describe "#property" do
-        context "with :protected option" do
-          it "makes the attribute protected" do
-            TestDocument.should_receive(:attr_protected).with(:baz)
-            TestDocument.property :baz, String, :protected => true
-          end
-        end
-      
-        context "with :accessible option" do
-          it "makes the attribute accessible" do
-            TestDocument.should_receive(:attr_accessible).with(:baz)
-            TestDocument.property :baz, String, :accessible => true
-          end
+      context "with :accessible option" do
+        it "makes the attribute accessible" do
+          TestDocument.should_receive(:attr_accessible).with(:baz)
+          TestDocument.property :baz, String, :accessible => true
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mongomodel
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.5.2
 platform: ruby
 authors:
 - Sam Pohlenz
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-24 00:00:00.000000000 Z
+date: 2014-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -115,7 +115,6 @@ files:
 - gemfiles/rails-3.1.gemfile
 - gemfiles/rails-3.2.gemfile
 - gemfiles/rails-4-observers.gemfile
-- gemfiles/rails-4-protected-attributes.gemfile
 - gemfiles/rails-4.0.gemfile
 - gemfiles/rails-4.1.gemfile
 - lib/mongomodel.rb
@@ -210,6 +209,10 @@ files:
 - lib/mongomodel/support/types/symbol.rb
 - lib/mongomodel/support/types/time.rb
 - lib/mongomodel/tasks/database.rake
+- lib/mongomodel/vendor/active_model.rb
+- lib/mongomodel/vendor/active_model/mass_assignment_security.rb
+- lib/mongomodel/vendor/active_model/mass_assignment_security/permission_set.rb
+- lib/mongomodel/vendor/active_model/mass_assignment_security/sanitizer.rb
 - lib/mongomodel/version.rb
 - lib/rails/generators/mongo_model/config/config_generator.rb
 - lib/rails/generators/mongo_model/config/templates/mongomodel.yml

data/gemfiles/rails-4-protected-attributes.gemfile

@@ -1,11 +0,0 @@
-source "https://rubygems.org"
-
-gem "activesupport", :github => "rails/rails", :branch => "4-0-stable"
-gem "activemodel", :github => "rails/rails", :branch => "4-0-stable"
-gem "protected_attributes", :github => "rails/protected_attributes"
-
-gem "bson_ext", "~> 1.8"
-gem "tzinfo"
-gem "rake"
-
-gemspec :path => "../"