param_protected 1.1.0

data/CHANGELOG

@@ -0,0 +1,19 @@
+09/12/2009
+----------
+* Restructured and reorganized.  Now the majority of the work is done in the Protector class.  This minimizes the amount of methods / instance variables that clutter the controllers.
+* The filtering is done in ActionController::Base#params now, instead of as a before filter.  This eliminates the caveat of before filters declared after param_protected/param_accessible calls having access to the unprotected params.
+
+09/11/2009
+----------
+* Refactored tests to use plugin_test_helper.
+* gemified
+
+03/17/2009
+----------
+* more sane way to specify nested parameters (honestly, I don't know what I was thinking before)
+* the old method of specifying nested parameters ("user/first_name", "user/last_name") DOES NOT WORK ANYMORE.
+* changed param_protected/param_accessible's :exclude argument to :except to better fit in with Rails
+
+07/16/2008
+----------
+* rewrote the entire plugin (it should actually work now)

data/README.rdoc

@@ -0,0 +1,49 @@
+= Summary
+This plugin provides two class methods on <tt>ActiveController::Base</tt> that filter the <tt>params</tt> hash for that controller's actions.  You can think of them as the controller analog of <tt>attr_protected</tt> and <tt>attr_accessible</tt>.
+
+= Installation
+
+Put in your <tt>environment.rb</tt> file...
+
+  config.gem "cjbottaro-param_protected", :lib => "param_protected", :source => "http://gems.github.com"
+  
+Alternatively, just install the gem from the command line and <tt>require "param_protected"</tt> somewhere in your project.
+
+= Usage
+ class YourController < ActiveController::Base
+   param_protected <param_name> <options>
+   param_accessible <param_name> <options>
+   
+   ...
+ end
+<tt>param_name</tt> can be a String, Symbol, or Array of Strings and/or Symbols.
+
+<tt>options</tt> is a Hash that has <em>one</em> of two keys:  <tt>:only</tt> or <tt>:except</tt>.  The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.
+
+= Examples
+
+== Blacklisting
+Any of these combinations should work.
+ param_protected :client_id
+ param_protected [:client_id, :user_id]
+ param_protected :client_id, :only => 'my_action'
+ param_protected :client_id, :except => [:your_action, :my_action]
+
+== Whitelisting
+Any of these combinations should work.
+ param_accessible :client_id
+ param_accessible :[:client_id, :user_id]
+ param_accessible :client_id, :only => 'my_action'
+ param_accessible :client_id, :except => [:your_action, :my_action]
+
+== Nested Params
+You can use combinations of arrays and hashes to specify nested params, much the same way <tt>ActiveRecord::Base#find</tt>'s
+<tt>:include</tt> argument works.
+ param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }]
+ param_protected [:id, :password, { :user => [:id, :password] }]
+
+= How does it work?
+It does an <tt>alias_method_chain</tt> on <tt>ActionController::Base#params</tt> that filters (and caches) the params.  You can get the unfiltered, pristine params by calling <tt>ActionController::Base#params_without_protection</tt>.
+
+= Author
+Christopher J. Bottaro

data/Rakefile

@@ -0,0 +1,36 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "param_protected"
+    gemspec.summary = "Filter unwanted parameters in your controllers and actions."
+    gemspec.description = "Provides two class methods on ActiveController::Base that filter the params hash for that controller's actions.  You can think of them as the controller analog of attr_protected and attr_accessible."
+    gemspec.email = "cjbottaro@alumni.cs.utexas.edu"
+    gemspec.homepage = "http://github.com/cjbottaro/param_protected"
+    gemspec.authors = ["Christopher J. Bottaro"]
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the param_protected plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the param_protected plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ParamProtected'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+1.1.0

data/init.rb

@@ -0,0 +1,2 @@
+# Include hook code here
+require 'param_protected'

data/install.rb

@@ -0,0 +1 @@
+# Install hook code here

data/lib/param_protected.rb

@@ -0,0 +1,6 @@
+require "param_protected/meta_class"
+require "param_protected/constants"
+require "param_protected/protector"
+require "param_protected/controller_modifications"
+
+ActionController::Base.extend(ParamProtected::ControllerModifications)

data/lib/param_protected/constants.rb

@@ -0,0 +1,4 @@
+module ParamProtected
+  BLACKLIST = :blacklist
+  WHITELIST = :whitelist
+end

data/lib/param_protected/controller_modifications.rb

@@ -0,0 +1,46 @@
+module ParamProtected
+  module ControllerModifications
+    
+    def self.extended(action_controller)
+      action_controller.class_eval do
+        extend  ClassMethods
+        include InstanceMethods
+        alias_method_chain :params, :protection
+      end
+    end
+    
+    module ClassMethods
+      
+      def param_protected(params, actions = nil)
+        Protector.instance(self).declare_protection(params, actions, BLACKLIST)
+      end
+      
+      def param_accessible(params, actions = nil)
+        Protector.instance(self).declare_protection(params, actions, WHITELIST)
+      end
+      
+    end
+    
+    module InstanceMethods
+      
+      def params_with_protection
+        
+        # #params is called internally by ActionController::Base a few times before an action is dispatched,
+        # thus we can't filter and cache it right off the bat.  We have to wait for #action_name to be present
+        # to know that we're really in an action and @_params actually contains something.  Then we can filter
+        # and cache it.
+        
+        if action_name.blank?
+          params_without_protection
+        elsif @params_protected
+          @params_protected
+        else
+          @params_protected = Protector.instance(self.class).protect(params_without_protection, action_name)
+        end
+        
+      end
+      
+    end
+    
+  end
+end

data/lib/param_protected/meta_class.rb

@@ -0,0 +1,13 @@
+class Object
+  unless method_defined?(:meta_class)
+    def meta_class
+      (class << self; self; end)
+    end
+  end
+  
+  unless method_defined?(:meta_eval)
+    def meta_eval(&block)
+      meta_class.instance_eval(&block)
+    end
+  end
+end

data/lib/param_protected/protector.rb

@@ -0,0 +1,120 @@
+module ParamProtected
+  class Protector
+  
+    def self.instance(controller)
+      unless controller.respond_to?(:pp_protector)
+        controller.class_eval{ @pp_protector = Protector.new }
+        controller.meta_eval { attr_reader :pp_protector }
+      end
+      controller.pp_protector
+    end
+    
+    def initialize
+      @protections = []
+    end
+    
+    def declare_protection(params, actions, exclusivity)
+      params  = normalize_params(params)
+      actions = normalize_actions(actions)
+      @protections << [params, actions, exclusivity]
+    end
+    
+    def protect(controller_params, action_name)
+      returning(deep_copy(controller_params)) do |params|
+        @protections.each do |protected_params, actions, exclusivity|
+          scope, actions = actions.first, actions[1..-1] # Careful not to modify the actions array in place.
+          next unless action_matches?(scope, actions, action_name)
+          filter_params(protected_params, params, exclusivity)
+        end
+      end
+    end
+    
+  private
+    
+    # When specifying params to protect, we allow a combination of arrays and hashes much like how
+    # ActiveRecord::Base#find's :include options works.  This method normalizes that into just nested hashes,
+    # stringifying the keys and setting all values to nil.  This format is easier/faster to work with when 
+    # filtering the controller params.
+    # Example...
+    #   [:a, {:b => [:c, :d]}]
+    # to
+    #   {"a"=>nil, "b"=>{"c"=>nil, "d"=>nil}}
+    def normalize_params(params, params_out = {})
+      if params.instance_of?(Array)
+        params.each{ |param| normalize_params(param, params_out) }
+      elsif params.instance_of?(Hash)
+        params.each do |k, v|
+          k = k.to_s
+          params_out[k] = {}
+          normalize_params(v, params_out[k])
+        end
+      else
+        params_out[params.to_s] = nil
+      end
+      params_out
+    end
+    
+    # When specifying which actions param protection apply to, we allow a format like this...
+    #   :only => [:action1, :action2]
+    # This method normalizes that to...
+    #   [:only, "action1", "action2"]
+    def normalize_actions(actions)
+      error_message = "invalid actions, use :only => ..., :except => ..., or nil"
+      return [:except, nil] if actions.blank?
+      raise ArgumentError, error_message unless actions.instance_of?(Hash)
+      raise ArgumentError, error_message unless actions.length == 1
+      raise ArgumentError, error_message unless [:only, :except].include?(actions.keys.first)
+      
+      scope, actions = actions.keys.first, actions.values.first
+      actions = [actions] unless actions.instance_of?(Array)
+      actions = actions.collect{ |action| action.to_s }
+      [scope, *actions]
+    end
+    
+    # When #dup just isn't enough... :P
+    def deep_copy(object)
+      returning(try_to_dup(object)) do |new_object|
+        case new_object
+        when Hash
+          new_object.each{ |k, v| new_object[k] = deep_copy(v) }
+        when Array
+          new_object.replace(new_object.collect{ |item| deep_copy(item) })
+        end
+      end
+    end
+    
+    # Some objects are not dupable... like TrueClass, FalseClass and NilClass.
+    def try_to_dup(object)
+      object.dup
+    rescue TypeError
+      object
+    end
+    
+    def action_matches?(scope, actions, action_name)
+      if action_name.blank?
+        false
+      elsif scope == :only
+        actions.include?(action_name)
+      elsif scope == :except
+        !actions.include?(action_name)
+      else
+        raise ArgumentError, "unexpected scope (#{scope}), expected :only or :except"
+      end
+    end
+    
+    def filter_params(protected_params, params, exclusivity)
+      return unless params.kind_of?(Hash)
+      return if protected_params.nil?
+      if exclusivity == BLACKLIST
+        params.delete_if{ |k, v| protected_params.has_key?(k) and protected_params[k].nil? }
+      elsif exclusivity == WHITELIST
+        params.delete_if{ |k, v| !protected_params.has_key?(k) }
+      else
+        raise ArgumentError, "unexpected exclusivity: #{exclusivity}"
+      end
+      params.each{ |k, v| filter_params(protected_params[k], v, exclusivity) }
+      params
+    end
+    
+  end
+end

data/param_protected.gemspec

@@ -0,0 +1,93 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE
+# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{param_protected}
+  s.version = "1.1.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Christopher J. Bottaro"]
+  s.date = %q{2009-09-12}
+  s.description = %q{Provides two class methods on ActiveController::Base that filter the params hash for that controller's actions.  You can think of them as the controller analog of attr_protected and attr_accessible.}
+  s.email = %q{cjbottaro@alumni.cs.utexas.edu}
+  s.extra_rdoc_files = [
+    "README.rdoc"
+  ]
+  s.files = [
+    "CHANGELOG",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "init.rb",
+     "install.rb",
+     "lib/param_protected.rb",
+     "lib/param_protected/constants.rb",
+     "lib/param_protected/controller_modifications.rb",
+     "lib/param_protected/meta_class.rb",
+     "lib/param_protected/protector.rb",
+     "param_protected.gemspec",
+     "tasks/param_protected_tasks.rake",
+     "test/accessible_except_test.rb",
+     "test/accessible_only_test.rb",
+     "test/app_root/app/controllers/accessible_except_controller.rb",
+     "test/app_root/app/controllers/accessible_only_controller.rb",
+     "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/app/controllers/protected_controller.rb",
+     "test/app_root/app/controllers/users_controller.rb",
+     "test/app_root/config/boot.rb",
+     "test/app_root/config/database.yml",
+     "test/app_root/config/environment.rb",
+     "test/app_root/config/environments/in_memory.rb",
+     "test/app_root/config/environments/mysql.rb",
+     "test/app_root/config/environments/postgresql.rb",
+     "test/app_root/config/environments/sqlite.rb",
+     "test/app_root/config/environments/sqlite3.rb",
+     "test/app_root/config/routes.rb",
+     "test/app_root/lib/console_with_fixtures.rb",
+     "test/protected_controller_test.rb",
+     "test/protector_test.rb",
+     "test/test_helper.rb",
+     "test/users_controller_test.rb",
+     "uninstall.rb"
+  ]
+  s.has_rdoc = true
+  s.homepage = %q{http://github.com/cjbottaro/param_protected}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.2}
+  s.summary = %q{Filter unwanted parameters in your controllers and actions.}
+  s.test_files = [
+    "test/accessible_except_test.rb",
+     "test/accessible_only_test.rb",
+     "test/app_root/app/controllers/accessible_except_controller.rb",
+     "test/app_root/app/controllers/accessible_only_controller.rb",
+     "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/app/controllers/protected_controller.rb",
+     "test/app_root/app/controllers/users_controller.rb",
+     "test/app_root/config/boot.rb",
+     "test/app_root/config/environment.rb",
+     "test/app_root/config/environments/in_memory.rb",
+     "test/app_root/config/environments/mysql.rb",
+     "test/app_root/config/environments/postgresql.rb",
+     "test/app_root/config/environments/sqlite.rb",
+     "test/app_root/config/environments/sqlite3.rb",
+     "test/app_root/config/routes.rb",
+     "test/app_root/lib/console_with_fixtures.rb",
+     "test/protected_controller_test.rb",
+     "test/protector_test.rb",
+     "test/test_helper.rb",
+     "test/users_controller_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end

data/tasks/param_protected_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :param_protected do
+#   # Task goes here
+# end

data/test/accessible_except_test.rb

@@ -0,0 +1,13 @@
+require "test_helper"
+
+class AccessibleExceptControllerTest < ActionController::TestCase
+  
+  test_action :first do
+    assert_params %w[a b c d e f g h]
+  end
+  
+  test_action :second do
+    assert_params %w[a]
+  end
+  
+end

data/test/accessible_only_test.rb

@@ -0,0 +1,13 @@
+require "test_helper"
+
+class AccessibleOnlyControllerTest < ActionController::TestCase
+  
+  test_action :first do
+    assert_params %w[a]
+  end
+  
+  test_action :second do
+    assert_params %w[a b c d e f g h]
+  end
+  
+end

data/test/app_root/app/controllers/accessible_except_controller.rb

@@ -0,0 +1,7 @@
+class AccessibleExceptController < ApplicationController
+  param_accessible :a, :except => :first
+  
+  def first; end
+  
+  def second; end
+end

data/test/app_root/app/controllers/accessible_only_controller.rb

@@ -0,0 +1,7 @@
+class AccessibleOnlyController < ApplicationController
+  param_accessible :a, :only => :first
+
+  def first; end
+
+  def second; end
+end

data/test/app_root/app/controllers/application_controller.rb

@@ -0,0 +1,10 @@
+class ApplicationController < ActionController::Base
+  before_filter :render_nothing
+  
+private
+
+  def render_nothing
+    render :nothing => true
+  end
+  
+end

data/test/app_root/app/controllers/protected_controller.rb

@@ -0,0 +1,29 @@
+class ProtectedController < ApplicationController
+  param_protected :a
+  
+  def an_action; end
+  
+  param_protected :b, :only => :only_one_action
+  def only_one_action; end
+  
+  param_protected :c, :except => :except_one_action
+  def except_one_action; end
+  
+  param_protected [:d, :e], :only => :params_as_array
+  def params_as_array;end
+  
+  param_protected :f, :only => [:only_multiple_actions1, :only_multiple_actions2]
+  def only_multiple_actions1; end
+  def only_multiple_actions2; end
+  
+  param_protected :g, :except => [:except_multiple_actions1, :except_multiple_actions2]
+  def except_multiple_actions1; end
+  def except_multiple_actions2; end
+  
+  param_protected( { :h => :a }, :only => :nested_single )
+  def nested_single; end
+  
+  param_protected( { :h => [:a, :b] }, :only => :nested_multiple )
+  def nested_multiple; end
+  
+end

data/test/app_root/app/controllers/users_controller.rb

@@ -0,0 +1,7 @@
+class UsersController < ApplicationController
+  param_accessible( {:user => [ {:name => [:first, :last]}, :email ]} )
+  
+  def create; end
+  def update; end
+    
+end

data/test/app_root/config/boot.rb

@@ -0,0 +1,115 @@
+# Allow customization of the rails framework path
+RAILS_FRAMEWORK_ROOT = (ENV['RAILS_FRAMEWORK_ROOT'] || "#{File.dirname(__FILE__)}/../../../../../../vendor/rails") unless defined?(RAILS_FRAMEWORK_ROOT) 
+
+# Don't change this file!
+# Configure your app in config/environment.rb and config/environments/*.rb
+
+RAILS_ROOT = "#{File.dirname(__FILE__)}/.." unless defined?(RAILS_ROOT)
+
+module Rails
+  class << self
+    def boot!
+      unless booted?
+        preinitialize
+        pick_boot.run
+      end
+    end
+
+    def booted?
+      defined? Rails::Initializer
+    end
+
+    def pick_boot
+      (vendor_rails? ? VendorBoot : GemBoot).new
+    end
+
+    def vendor_rails?
+      File.exist?(RAILS_FRAMEWORK_ROOT)
+    end
+
+    def preinitialize
+      load(preinitializer_path) if File.exist?(preinitializer_path)
+    end
+
+    def preinitializer_path
+      "#{RAILS_ROOT}/config/preinitializer.rb"
+    end
+  end
+
+  class Boot
+    def run
+      load_initializer
+      Rails::Initializer.run(:set_load_path)
+    end
+  end
+
+  class VendorBoot < Boot
+    def load_initializer
+      require "#{RAILS_FRAMEWORK_ROOT}/railties/lib/initializer"
+      Rails::Initializer.run(:install_gem_spec_stubs)
+      Rails::GemDependency.add_frozen_gem_path
+    end
+  end
+
+  class GemBoot < Boot
+    def load_initializer
+      self.class.load_rubygems
+      load_rails_gem
+      require 'initializer'
+    end
+
+    def load_rails_gem
+      if version = self.class.gem_version
+        gem 'rails', version
+      else
+        gem 'rails'
+      end
+    rescue Gem::LoadError => load_error
+      $stderr.puts %(Missing the Rails #{version} gem. Please `gem install -v=#{version} rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed.)
+      exit 1
+    end
+
+    class << self
+      def rubygems_version
+        Gem::RubyGemsVersion rescue nil
+      end
+
+      def gem_version
+        if defined? RAILS_GEM_VERSION
+          RAILS_GEM_VERSION
+        elsif ENV.include?('RAILS_GEM_VERSION')
+          ENV['RAILS_GEM_VERSION']
+        else
+          parse_gem_version(read_environment_rb)
+        end
+      end
+
+      def load_rubygems
+        require 'rubygems'
+        min_version = '1.3.1'
+        unless rubygems_version >= min_version
+          $stderr.puts %Q(Rails requires RubyGems >= #{min_version} (you have #{rubygems_version}). Please `gem update --system` and try again.)
+          exit 1
+        end
+ 
+      rescue LoadError
+        $stderr.puts %Q(Rails requires RubyGems >= #{min_version}. Please install RubyGems and try again: http://rubygems.rubyforge.org)
+        exit 1
+      end
+
+      def parse_gem_version(text)
+        $1 if text =~ /^[^#]*RAILS_GEM_VERSION\s*=\s*["']([!~<>=]*\s*[\d.]+)["']/
+      end
+
+      private
+        def read_environment_rb
+          environment_rb = "#{RAILS_ROOT}/config/environment.rb"
+          environment_rb = "#{HELPER_RAILS_ROOT}/config/environment.rb" unless File.exists?(environment_rb)
+          File.read(environment_rb)
+        end
+    end
+  end
+end
+
+# All that for this:
+Rails.boot!

data/test/app_root/config/database.yml

@@ -0,0 +1,31 @@
+in_memory:
+  adapter: sqlite3
+  database: ":memory:"
+  verbosity: quiet
+  pool: 5
+  timeout: 5000
+sqlite:
+  adapter: sqlite
+  dbfile: plugin_test.sqlite.db
+  pool: 5
+  timeout: 5000
+sqlite3:
+  adapter: sqlite3
+  dbfile: plugin_test.sqlite3.db
+  pool: 5
+  timeout: 5000
+postgresql:
+  adapter: postgresql
+  username: postgres
+  password: postgres
+  database: plugin_test
+  pool: 5
+  timeout: 5000
+mysql:
+  adapter: mysql
+  host: localhost
+  username: root
+  password:
+  database: plugin_test
+  pool: 5
+  timeout: 5000

data/test/app_root/config/environment.rb

@@ -0,0 +1,14 @@
+require File.join(File.dirname(__FILE__), 'boot')
+
+Rails::Initializer.run do |config|
+  config.cache_classes = false
+  config.whiny_nils = true
+  config.action_controller.session = {:key => 'rails_session', :secret => 'd229e4d22437432705ab3985d4d246'}
+  config.plugin_locators.unshift(
+    Class.new(Rails::Plugin::Locator) do
+      def plugins
+        [Rails::Plugin.new(File.expand_path('.'))]
+      end
+    end
+  ) unless defined?(PluginTestHelper::PluginLocator)
+end

data/test/app_root/config/routes.rb

@@ -0,0 +1,4 @@
+ActionController::Routing::Routes.draw do |map|
+  map.connect ':controller/:action/:id'
+  map.connect ':controller/:action/:id.:format'
+end

data/test/app_root/lib/console_with_fixtures.rb

@@ -0,0 +1,4 @@
+# Loads fixtures into the database when running the test app via the console
+(ENV['FIXTURES'] ? ENV['FIXTURES'].split(/,/) : Dir.glob(File.join(Rails.root, '../fixtures/*.{yml,csv}'))).each do |fixture_file|
+  Fixtures.create_fixtures(File.join(Rails.root, '../fixtures'), File.basename(fixture_file, '.*'))
+end

data/test/protected_controller_test.rb

@@ -0,0 +1,47 @@
+require "test_helper"
+
+class ProtectedControllerTest < ActionController::TestCase
+  
+  test_action :an_action do
+    assert_params %w[b d e f h]
+  end
+  
+  test_action :only_one_action do
+    assert_params %w[d e f h]
+  end
+  
+  test_action :except_one_action do
+    assert_params %w[c b d e f h]
+  end
+  
+  test_action :params_as_array do
+    assert_params %w[b f h]
+  end
+  
+  test_action :only_multiple_actions1 do
+    assert_params %w[b d e h]
+  end
+  
+  test_action :only_multiple_actions2 do
+    assert_params %w[b d e h]
+  end
+  
+  test_action :except_multiple_actions1 do
+    assert_params %w[b d e f g h]
+  end
+  
+  test_action :except_multiple_actions2 do
+    assert_params %w[b d e f g h]
+  end
+  
+  test_action :nested_single do
+    assert_params %w[b d e f h]
+    assert_equal({"b" => "b", "c" => "c"}, params["h"])
+  end
+  
+  test_action :nested_multiple do
+    assert_params %w[b d e f h]
+    assert_equal({"c" => "c"}, params["h"])
+  end
+  
+end

data/test/protector_test.rb

@@ -0,0 +1,147 @@
+require "test_helper"
+
+class HelpersTest < Test::Unit::TestCase
+  
+  def setup
+    @protector = ParamProtected::Protector.new
+  end
+  
+  def test_normalize_params
+    params = @protector.send(:normalize_params, :something)
+    assert_equal({"something" => nil}, params)
+    
+    params = @protector.send(:normalize_params, [:something, :else])
+    assert_equal({"something" => nil, "else" => nil}, params)
+    
+    params = @protector.send(:normalize_params, :something => [:stuff, :blah])
+    assert_equal({"something" => {"stuff" => nil, "blah" => nil}}, params)
+    
+    params = @protector.send(:normalize_params, :something => [:stuff, {:blah => :bleck}])
+    assert_equal({"something" => {"stuff" => nil, "blah" => {"bleck" => nil}}}, params)
+  end
+  
+  def test_normalize_actions
+    actions = @protector.send(:normalize_actions, nil)
+    assert_equal [:except, nil], actions
+    
+    actions = @protector.send(:normalize_actions, :only => :blah)
+    assert_equal [:only, "blah"], actions
+    
+    actions = @protector.send(:normalize_actions, :only => [:blah, :bleck])
+    assert_equal [:only, "blah", "bleck"], actions
+    
+    actions = @protector.send(:normalize_actions, :except => :blah)
+    assert_equal [:except, "blah"], actions
+    
+    actions = @protector.send(:normalize_actions, :except => [:blah, :bleck])
+    assert_equal [:except, "blah", "bleck"], actions
+    
+    assert_raises(ArgumentError){ @protector.send(:normalize_actions, :onlyy => :blah) }
+    assert_raises(ArgumentError){ @protector.send(:normalize_actions, :blah) }
+    assert_raises(ArgumentError){ @protector.send(:normalize_actions, :only => :something, :except => :something) }
+  end
+  
+  def test_deep_copy
+    object_a = [Object.new, {:a => Object.new, :b => [Object.new, Object.new], :c => {:d => Object.new}}, [Object.new, Object.new]]
+    object_b = @protector.send(:deep_copy, object_a)
+    
+    
+    assert_not_equal object_a[0].object_id, object_b[0].object_id
+    assert_not_equal object_a[1].object_id, object_b[1].object_id
+    assert_not_equal object_a[2].object_id, object_b[2].object_id
+    
+    assert_not_equal object_a[1][:a].object_id, object_b[1][:a].object_id
+    assert_not_equal object_a[1][:b].object_id, object_b[1][:b].object_id
+    assert_not_equal object_a[1][:b][0].object_id, object_b[1][:b][0].object_id
+    assert_not_equal object_a[1][:b][1].object_id, object_b[1][:b][1].object_id
+    assert_not_equal object_a[1][:c].object_id, object_b[1][:c].object_id
+    assert_not_equal object_a[1][:c][:d].object_id, object_b[1][:c][:d].object_id
+    
+    assert_not_equal object_a[2][0].object_id, object_b[2][0].object_id
+    assert_not_equal object_a[2][1].object_id, object_b[2][1].object_id
+  end
+  
+  def test_action_matches
+    assert  @protector.send(:action_matches?, :only, ["blah", "bleck"], "blah")
+    assert  @protector.send(:action_matches?, :only, ["blah", "bleck"], "bleck")
+    assert !@protector.send(:action_matches?, :only, ["blah", "bleck"], "not")
+    
+    assert !@protector.send(:action_matches?, :except, ["blah", "bleck"], "blah")
+    assert !@protector.send(:action_matches?, :except, ["blah", "bleck"], "bleck")
+    assert  @protector.send(:action_matches?, :except, ["blah", "bleck"], "not")
+    
+    assert_raises(ArgumentError){ @protector.send(:action_matches?, :bad_scope, ["blah", "bleck"], "not") }
+  end
+  
+  def test_do_param_accessible
+    
+    accessible_params = { :account_id => nil,
+                          :user_id => nil }
+    params            = { :account_id => 123,
+                          :user_id => 456,
+                          :profile_id => 789 }
+    expected_results  = { :account_id => 123,
+                          :user_id => 456 }
+    assert_equal expected_results, @protector.send(:filter_params, accessible_params, params, ParamProtected::WHITELIST)
+    
+    accessible_params = { :account_id => nil,
+                          :user => nil }
+    params            = { :account_id => 123,
+                          :user => { :first_name => "christopher", :last_name => "bottaro" },
+                          :profile_ids => [789, 987] }
+    expected_results  = { :account_id => 123,
+                          :user => { :first_name => "christopher", :last_name => "bottaro"} }
+    assert_equal expected_results, @protector.send(:filter_params, accessible_params, params, ParamProtected::WHITELIST)
+    
+    accessible_params = { :account_id => nil,
+                          :user => {:first_name => nil, :last_name => nil} }
+    params            = { :account_id => 123,
+                          :user => { :first_name => "christopher", :last_name => "bottaro", :middle_name => "james" },
+                          :profile_ids => [789, 987] }
+    expected_results  = { :account_id => 123,
+                          :user => { :first_name => "christopher", :last_name => "bottaro"} }
+    assert_equal expected_results, @protector.send(:filter_params, accessible_params, params, ParamProtected::WHITELIST)
+    
+    accessible_params = { :account_id => nil,
+                          :user => {:name => {:first => nil, :last => nil}} }
+    params            = { :account_id => 123,
+                          :user => { :city => "Austin",
+                                     :name => {:first => "christopher", :last => "bottaro", :middle => "james"} },
+                          :profile_ids => [789, 987] }
+    expected_results  = { :account_id => 123,
+                          :user => { :name => {:first => "christopher", :last => "bottaro"} } }
+    assert_equal expected_results, @protector.send(:filter_params, accessible_params, params, ParamProtected::WHITELIST)
+  end
+  
+  def test_do_param_protected
+    
+    protected_params  = { :account_id => nil,
+                          :user => nil }
+    params            = { :account_id => 123,
+                          :user => { :first_name => "christopher", :last_name => "bottaro" },
+                          :profile_ids => [789, 987] }
+    expected_results  = { :profile_ids => [789, 987] }
+    assert_equal expected_results, @protector.send(:filter_params, protected_params, params, ParamProtected::BLACKLIST)
+    
+    protected_params  = { :account_id => nil,
+                          :user => {:middle_name => nil} }
+    params            = { :account_id => 123,
+                          :user => { :first_name => "christopher", :last_name => "bottaro", :middle_name => "james" },
+                          :profile_ids => [789, 987] }
+    expected_results  = { :user => {:first_name => "christopher", :last_name => "bottaro"},
+                          :profile_ids => [789, 987] }
+    assert_equal expected_results, @protector.send(:filter_params, protected_params, params, ParamProtected::BLACKLIST)
+    
+    protected_params  = { :account_id => nil,
+                          :user => {:name => {:middle => nil}} }
+    params            = { :account_id => 123,
+                          :user => { :city => "Austin",
+                                     :name => {:first => "christopher", :last => "bottaro", :middle => "james"} },
+                          :profile_ids => [789, 987] }
+    expected_results  = { :profile_ids => [789, 987],
+                          :user => { :city => "Austin",
+                          :name => {:first => "christopher", :last => "bottaro"} } }
+    assert_equal expected_results, @protector.send(:filter_params, protected_params, params, ParamProtected::BLACKLIST)
+  end
+  
+end

data/test/test_helper.rb

@@ -0,0 +1,51 @@
+# Set the default environment to sqlite3's in_memory database
+ENV['RAILS_ENV'] ||= 'in_memory'
+
+# Load the Rails environment and testing framework
+require "#{File.dirname(__FILE__)}/app_root/config/environment"
+require 'test_help'
+require "param_protected"
+
+# Undo changes to RAILS_ENV
+silence_warnings {RAILS_ENV = ENV['RAILS_ENV']}
+
+# Run the migrations
+ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate")
+
+# Set default fixture loading properties
+ActiveSupport::TestCase.class_eval do
+  self.use_transactional_fixtures = true
+  self.use_instantiated_fixtures = false
+  self.fixture_path = "#{File.dirname(__FILE__)}/fixtures"
+  
+  fixtures :all
+end
+
+class ActionController::TestCase
+  PARAMS = {
+    "a" => "a",
+    "b" => "b",
+    "c" => "c",
+    "d" => "d",
+    "e" => "e",
+    "f" => "f",
+    "g" => "g",
+    "h" => { "a" => "a", "b" => "b", "c" => "c" },
+  }.freeze
+  
+  def assert_params(params)
+    controller_params = @controller.params.keys.select{ |k| PARAMS.keys.include?(k.to_s) }
+    assert_equal params.sort, controller_params.sort
+  end
+  
+  def params
+    @controller.params
+  end
+  
+  def self.test_action(action_name, &block)
+    define_method("test_#{action_name}") do
+      get action_name, PARAMS.dup
+      instance_eval(&block)
+    end
+  end
+end

data/test/users_controller_test.rb

@@ -0,0 +1,22 @@
+require "test_helper"
+
+class UsersControllerTest < ActionController::TestCase
+  PARAMS = { :user => { :id => 123,
+                          :name => { :first => "chris", :middle => "james", :last => "bottaro"},
+                          :email => "cjbottaro@blah.com" },
+             :something => "something" }
+             
+  EXPECTED_PARAMS = { "user" => { "name" => {"first" => "chris", "last" => "bottaro"},
+                                  "email" => "cjbottaro@blah.com" } }
+  
+  def test_create
+    get :create, PARAMS
+    assert_equal EXPECTED_PARAMS, params
+  end
+  
+  def test_update
+    get :update, PARAMS
+    assert_equal EXPECTED_PARAMS, params
+  end
+  
+end

data/uninstall.rb

@@ -0,0 +1 @@
+# Uninstall hook code here

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification 
+name: param_protected
+version: !ruby/object:Gem::Version 
+  version: 1.1.0
+platform: ruby
+authors: 
+- Christopher J. Bottaro
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-12-04 00:00:00 -06:00
+default_executable: 
+dependencies: []
+
+description: Provides two class methods on ActiveController::Base that filter the params hash for that controller's actions.  You can think of them as the controller analog of attr_protected and attr_accessible.
+email: cjbottaro@alumni.cs.utexas.edu
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.rdoc
+files: 
+- CHANGELOG
+- README.rdoc
+- Rakefile
+- VERSION
+- init.rb
+- install.rb
+- lib/param_protected.rb
+- lib/param_protected/constants.rb
+- lib/param_protected/controller_modifications.rb
+- lib/param_protected/meta_class.rb
+- lib/param_protected/protector.rb
+- param_protected.gemspec
+- tasks/param_protected_tasks.rake
+- test/accessible_except_test.rb
+- test/accessible_only_test.rb
+- test/app_root/app/controllers/accessible_except_controller.rb
+- test/app_root/app/controllers/accessible_only_controller.rb
+- test/app_root/app/controllers/application_controller.rb
+- test/app_root/app/controllers/protected_controller.rb
+- test/app_root/app/controllers/users_controller.rb
+- test/app_root/config/boot.rb
+- test/app_root/config/database.yml
+- test/app_root/config/environment.rb
+- test/app_root/config/environments/in_memory.rb
+- test/app_root/config/environments/mysql.rb
+- test/app_root/config/environments/postgresql.rb
+- test/app_root/config/environments/sqlite.rb
+- test/app_root/config/environments/sqlite3.rb
+- test/app_root/config/routes.rb
+- test/app_root/lib/console_with_fixtures.rb
+- test/protected_controller_test.rb
+- test/protector_test.rb
+- test/test_helper.rb
+- test/users_controller_test.rb
+- uninstall.rb
+has_rdoc: true
+homepage: http://github.com/cjbottaro/param_protected
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Filter unwanted parameters in your controllers and actions.
+test_files: 
+- test/accessible_except_test.rb
+- test/accessible_only_test.rb
+- test/app_root/app/controllers/accessible_except_controller.rb
+- test/app_root/app/controllers/accessible_only_controller.rb
+- test/app_root/app/controllers/application_controller.rb
+- test/app_root/app/controllers/protected_controller.rb
+- test/app_root/app/controllers/users_controller.rb
+- test/app_root/config/boot.rb
+- test/app_root/config/environment.rb
+- test/app_root/config/environments/in_memory.rb
+- test/app_root/config/environments/mysql.rb
+- test/app_root/config/environments/postgresql.rb
+- test/app_root/config/environments/sqlite.rb
+- test/app_root/config/environments/sqlite3.rb
+- test/app_root/config/routes.rb
+- test/app_root/lib/console_with_fixtures.rb
+- test/protected_controller_test.rb
+- test/protector_test.rb
+- test/test_helper.rb
+- test/users_controller_test.rb