param_protected 1.1.0 → 1.2.0

data/README.rdoc

@@ -1,7 +1,7 @@
-= Summary
+=== Summary
 This plugin provides two class methods on <tt>ActiveController::Base</tt> that filter the <tt>params</tt> hash for that controller's actions.  You can think of them as the controller analog of <tt>attr_protected</tt> and <tt>attr_accessible</tt>.
 
-= Installation
+=== Installation
 
 Put in your <tt>environment.rb</tt> file...
 
@@ -9,7 +9,7 @@ Put in your <tt>environment.rb</tt> file...
   
 Alternatively, just install the gem from the command line and <tt>require "param_protected"</tt> somewhere in your project.
 
-= Usage
+=== Usage
  class YourController < ActiveController::Base
    param_protected <param_name> <options>
    param_accessible <param_name> <options>
@@ -20,30 +20,44 @@ Alternatively, just install the gem from the command line and <tt>require "param
 
 <tt>options</tt> is a Hash that has <em>one</em> of two keys:  <tt>:only</tt> or <tt>:except</tt>.  The value for these keys is a String, Symbol, or Array of Strings and/or Symbols which denotes to the action(s) for which params to protect.
 
-= Examples
-
-== Blacklisting
+=== Blacklisting
 Any of these combinations should work.
  param_protected :client_id
  param_protected [:client_id, :user_id]
  param_protected :client_id, :only => 'my_action'
  param_protected :client_id, :except => [:your_action, :my_action]
 
-== Whitelisting
+=== Whitelisting
 Any of these combinations should work.
  param_accessible :client_id
  param_accessible :[:client_id, :user_id]
  param_accessible :client_id, :only => 'my_action'
  param_accessible :client_id, :except => [:your_action, :my_action]
 
-== Nested Params
+=== Nested Params
 You can use combinations of arrays and hashes to specify nested params, much the same way <tt>ActiveRecord::Base#find</tt>'s
 <tt>:include</tt> argument works.
  param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }]
  param_protected [:id, :password, { :user => [:id, :password] }]
 
-= How does it work?
+=== Merging
+If you call <tt>param_protected</tt> or <tt>param_accessible</tt> multiple times for an action or actions, then the protections will be merged.  For example...
+ param_protected [:id, :user], :only => :some_action
+ param_protected [{ :user => [:first, :last] }, :password], :only => :some_action
+Is equivalent to saying...
+ param_protected [:id, { :user => [:first, :last] }, :password], :only => :some_action
+Credit: Moritz Heidkamp
+
+=== Inheritance
+Param protections will be inherited to derived controllers.
+
+Credit: Moritz Heidkamp
+
+=== How does it work?
 It does an <tt>alias_method_chain</tt> on <tt>ActionController::Base#params</tt> that filters (and caches) the params.  You can get the unfiltered, pristine params by calling <tt>ActionController::Base#params_without_protection</tt>.
 
-= Author
-Christopher J. Bottaro
+=== Author
+Christopher J. Bottaro - {cjbottaro}[http://github.com/cjbottaro]
+
+=== Contributors
+Moritz Heidkamp - {DerGuteMoritz}[http://github.com/DerGuteMoritz]

data/Rakefile

@@ -22,6 +22,7 @@ task :default => :test
 desc 'Test the param_protected plugin.'
 Rake::TestTask.new(:test) do |t|
   t.libs << 'lib'
+  t.libs << 'test'
   t.pattern = 'test/**/*_test.rb'
   t.verbose = true
 end

data/VERSION

@@ -1 +1 @@
-1.1.0
+1.2.0

data/lib/param_protected/controller_modifications.rb

@@ -4,6 +4,7 @@ module ParamProtected
     def self.extended(action_controller)
       action_controller.class_eval do
         extend  ClassMethods
+        metaclass.alias_method_chain :inherited, :protector
         include InstanceMethods
         alias_method_chain :params, :protection
       end
@@ -18,6 +19,16 @@ module ParamProtected
       def param_accessible(params, actions = nil)
         Protector.instance(self).declare_protection(params, actions, WHITELIST)
       end
+
+      def inherited_with_protector(controller)
+        inherited_without_protector(controller)
+
+        if defined? @pp_protector
+          controller.instance_variable_set :@pp_protector, @pp_protector.dup
+          controller.class_eval { attr_reader :pp_protector }
+        end
+        
+      end
       
     end
     

data/lib/param_protected/protector.rb

@@ -12,6 +12,10 @@ module ParamProtected
     def initialize
       @protections = []
     end
+
+    def initialize_copy(copy)
+      copy.instance_variable_set(:@protections, deep_copy(@protections))
+    end
     
     def declare_protection(params, actions, exclusivity)
       params  = normalize_params(params)
@@ -21,15 +25,47 @@ module ParamProtected
     
     def protect(controller_params, action_name)
       returning(deep_copy(controller_params)) do |params|
-        @protections.each do |protected_params, actions, exclusivity|
-          scope, actions = actions.first, actions[1..-1] # Careful not to modify the actions array in place.
-          next unless action_matches?(scope, actions, action_name)
-          filter_params(protected_params, params, exclusivity)
+        protections_for_action(action_name).each do |exclusivity, protected_params|
+          filter_params(protected_params, params, exclusivity) unless protected_params.empty?
         end
       end
     end
     
   private
+
+    def protections_for_action(action_name)
+      @protections_for_action ||= { }
+
+      @protections_for_action[action_name] ||= @protections.select do |protected_params, actions, exclusivity|
+        action_matches?(actions[0], actions[1..-1], action_name)
+      end.inject({ WHITELIST => { }, BLACKLIST => { } }) do |result, (protected_params, action_name, exclusivity)|
+        merge_protections(result[exclusivity], protected_params)
+        result
+      end
+    end
+
+    # Merge protections for the same params into one so as to allow extension of them 
+    # in inheriting controllers.
+    # 
+    # Mutating the first argument is okay since this method is used within inject only.
+    # 
+    # Example:
+    # merge_protections({ :foo => { :qux => nil }, :bar => { :baz => nil, :qux => nil } },
+    #                   { :foo => { :baz => nil, :qux => { :foo => nil } } })
+    # => 
+    #
+    # { :foo => { :baz => nil, :qux => { :foo => nil } }, :bar => { :baz =>nil, :qux => nil } }
+    def merge_protections(protections, protected_params)
+      protected_params.each do |k,v|
+        if protections[k].is_a?(Hash)
+          merge_protections(protections[k], v) if v
+        else
+          protections[k] = v
+        end
+      end
+
+      protections
+    end
     
     # When specifying params to protect, we allow a combination of arrays and hashes much like how
     # ActiveRecord::Base#find's :include options works.  This method normalizes that into just nested hashes,

data/param_protected.gemspec

@@ -1,15 +1,15 @@
 # Generated by jeweler
-# DO NOT EDIT THIS FILE
-# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{param_protected}
-  s.version = "1.1.0"
+  s.version = "1.2.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Christopher J. Bottaro"]
-  s.date = %q{2009-09-12}
+  s.date = %q{2010-02-18}
   s.description = %q{Provides two class methods on ActiveController::Base that filter the params hash for that controller's actions.  You can think of them as the controller analog of attr_protected and attr_accessible.}
   s.email = %q{cjbottaro@alumni.cs.utexas.edu}
   s.extra_rdoc_files = [
@@ -34,6 +34,8 @@ Gem::Specification.new do |s|
      "test/app_root/app/controllers/accessible_except_controller.rb",
      "test/app_root/app/controllers/accessible_only_controller.rb",
      "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/app/controllers/inherited_users_controller.rb",
+     "test/app_root/app/controllers/merge_controller.rb",
      "test/app_root/app/controllers/protected_controller.rb",
      "test/app_root/app/controllers/users_controller.rb",
      "test/app_root/config/boot.rb",
@@ -46,17 +48,18 @@ Gem::Specification.new do |s|
      "test/app_root/config/environments/sqlite3.rb",
      "test/app_root/config/routes.rb",
      "test/app_root/lib/console_with_fixtures.rb",
+     "test/inherited_users_controller_test.rb",
+     "test/merge_controller_test.rb",
      "test/protected_controller_test.rb",
      "test/protector_test.rb",
      "test/test_helper.rb",
      "test/users_controller_test.rb",
      "uninstall.rb"
   ]
-  s.has_rdoc = true
   s.homepage = %q{http://github.com/cjbottaro/param_protected}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.2}
+  s.rubygems_version = %q{1.3.5}
   s.summary = %q{Filter unwanted parameters in your controllers and actions.}
   s.test_files = [
     "test/accessible_except_test.rb",
@@ -64,6 +67,8 @@ Gem::Specification.new do |s|
      "test/app_root/app/controllers/accessible_except_controller.rb",
      "test/app_root/app/controllers/accessible_only_controller.rb",
      "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/app/controllers/inherited_users_controller.rb",
+     "test/app_root/app/controllers/merge_controller.rb",
      "test/app_root/app/controllers/protected_controller.rb",
      "test/app_root/app/controllers/users_controller.rb",
      "test/app_root/config/boot.rb",
@@ -75,6 +80,8 @@ Gem::Specification.new do |s|
      "test/app_root/config/environments/sqlite3.rb",
      "test/app_root/config/routes.rb",
      "test/app_root/lib/console_with_fixtures.rb",
+     "test/inherited_users_controller_test.rb",
+     "test/merge_controller_test.rb",
      "test/protected_controller_test.rb",
      "test/protector_test.rb",
      "test/test_helper.rb",
@@ -91,3 +98,4 @@ Gem::Specification.new do |s|
   else
   end
 end
+

data/test/app_root/app/controllers/inherited_users_controller.rb

@@ -0,0 +1,4 @@
+class InheritedUsersController < UsersController
+  param_accessible :user => :password
+  param_protected :user => :name
+end

data/test/app_root/app/controllers/merge_controller.rb

@@ -0,0 +1,11 @@
+class MergeController < ApplicationController
+  param_accessible :a, :only => :first
+  param_accessible :b
+  param_accessible({ :h => :c}, :except => :first)
+  param_accessible :h => :b
+  
+
+  def first; end
+
+  def second; end
+end

data/test/inherited_users_controller_test.rb

@@ -0,0 +1,24 @@
+require "test_helper"
+
+class InheritedUsersControllerTest < ActionController::TestCase
+  
+  PARAMS = { :user => { :id => 123,
+                          :name => { :first => "chris", :middle => "james", :last => "bottaro"},
+                          :email => "cjbottaro@blah.com",
+                          :password => "SEcReT" },
+             :something => "something" }
+             
+  EXPECTED_PARAMS = { "user" => { "email" => "cjbottaro@blah.com",
+                                  "password" => "SEcReT" } }
+
+  def test_create
+    get :create, PARAMS
+    assert_equal EXPECTED_PARAMS, params
+  end
+  
+  def test_update
+    get :update, PARAMS
+    assert_equal EXPECTED_PARAMS, params
+  end
+  
+end

data/test/merge_controller_test.rb

@@ -0,0 +1,15 @@
+require "test_helper"
+
+class MergeControllerTest < ActionController::TestCase
+  
+  test_action :first do
+    assert_params %w[a b h]
+    assert_equal({"b" => "b"}, params["h"])
+  end
+  
+  test_action :second do
+    assert_params %w[b h]
+    assert_equal({"b" => "b", "c" => "c"}, params["h"])
+  end
+  
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: param_protected
 version: !ruby/object:Gem::Version 
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors: 
 - Christopher J. Bottaro
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-12-04 00:00:00 -06:00
+date: 2010-02-18 00:00:00 -06:00
 default_executable: 
 dependencies: []
 
@@ -40,6 +40,8 @@ files:
 - test/app_root/app/controllers/accessible_except_controller.rb
 - test/app_root/app/controllers/accessible_only_controller.rb
 - test/app_root/app/controllers/application_controller.rb
+- test/app_root/app/controllers/inherited_users_controller.rb
+- test/app_root/app/controllers/merge_controller.rb
 - test/app_root/app/controllers/protected_controller.rb
 - test/app_root/app/controllers/users_controller.rb
 - test/app_root/config/boot.rb
@@ -52,6 +54,8 @@ files:
 - test/app_root/config/environments/sqlite3.rb
 - test/app_root/config/routes.rb
 - test/app_root/lib/console_with_fixtures.rb
+- test/inherited_users_controller_test.rb
+- test/merge_controller_test.rb
 - test/protected_controller_test.rb
 - test/protector_test.rb
 - test/test_helper.rb
@@ -91,6 +95,8 @@ test_files:
 - test/app_root/app/controllers/accessible_except_controller.rb
 - test/app_root/app/controllers/accessible_only_controller.rb
 - test/app_root/app/controllers/application_controller.rb
+- test/app_root/app/controllers/inherited_users_controller.rb
+- test/app_root/app/controllers/merge_controller.rb
 - test/app_root/app/controllers/protected_controller.rb
 - test/app_root/app/controllers/users_controller.rb
 - test/app_root/config/boot.rb
@@ -102,6 +108,8 @@ test_files:
 - test/app_root/config/environments/sqlite3.rb
 - test/app_root/config/routes.rb
 - test/app_root/lib/console_with_fixtures.rb
+- test/inherited_users_controller_test.rb
+- test/merge_controller_test.rb
 - test/protected_controller_test.rb
 - test/protector_test.rb
 - test/test_helper.rb