param_protected 1.2.0 → 1.3.0

data/README.rdoc

@@ -46,6 +46,7 @@ If you call <tt>param_protected</tt> or <tt>param_accessible</tt> multiple times
  param_protected [{ :user => [:first, :last] }, :password], :only => :some_action
 Is equivalent to saying...
  param_protected [:id, { :user => [:first, :last] }, :password], :only => :some_action
+
 Credit: Moritz Heidkamp
 
 === Inheritance
@@ -53,6 +54,20 @@ Param protections will be inherited to derived controllers.
 
 Credit: Moritz Heidkamp
 
+=== Conditions
+You can conditionally protect params...
+ param_protected :admin, :unless => "user_is_admin?"
+ param_accessible :admin, :if => :user_is_admin?
+ param_protected :admin, :unless => Proc.new{ |controller| controller.user_is_admin? }
+
+Credit: Mortiz Heidkamp
+
+== Regular Expressions
+You can use regular expressions when specifying which params to make protected or accessible.
+ param_accessible /item\d/
+
+Credit: Mortiz Heidkamp
+
 === How does it work?
 It does an <tt>alias_method_chain</tt> on <tt>ActionController::Base#params</tt> that filters (and caches) the params.  You can get the unfiltered, pristine params by calling <tt>ActionController::Base#params_without_protection</tt>.
 

data/VERSION

@@ -1 +1 @@
-1.2.0
+1.3.0

data/lib/param_protected/controller_modifications.rb

@@ -46,7 +46,7 @@ module ParamProtected
         elsif @params_protected
           @params_protected
         else
-          @params_protected = Protector.instance(self.class).protect(params_without_protection, action_name)
+          @params_protected = Protector.instance(self.class).protect(self, params_without_protection, action_name)
         end
         
       end

data/lib/param_protected/protector.rb

@@ -17,15 +17,15 @@ module ParamProtected
       copy.instance_variable_set(:@protections, deep_copy(@protections))
     end
     
-    def declare_protection(params, actions, exclusivity)
+    def declare_protection(params, options, exclusivity)
       params  = normalize_params(params)
-      actions = normalize_actions(actions)
-      @protections << [params, actions, exclusivity]
+      actions, condition = normalize_options(options)
+      @protections << [params, actions, condition, exclusivity]
     end
     
-    def protect(controller_params, action_name)
+    def protect(controller, controller_params, action_name)
       returning(deep_copy(controller_params)) do |params|
-        protections_for_action(action_name).each do |exclusivity, protected_params|
+        protections_for_action(controller, action_name).each do |exclusivity, protected_params|
           filter_params(protected_params, params, exclusivity) unless protected_params.empty?
         end
       end
@@ -33,12 +33,10 @@ module ParamProtected
     
   private
 
-    def protections_for_action(action_name)
-      @protections_for_action ||= { }
-
-      @protections_for_action[action_name] ||= @protections.select do |protected_params, actions, exclusivity|
-        action_matches?(actions[0], actions[1..-1], action_name)
-      end.inject({ WHITELIST => { }, BLACKLIST => { } }) do |result, (protected_params, action_name, exclusivity)|
+    def protections_for_action(controller, action_name)
+      @protections.select do |protected_params, actions, condition, exclusivity|
+        action_matches?(actions[0], actions[1..-1], action_name) && condition_applies?(controller, condition)
+      end.inject({ WHITELIST => { }, BLACKLIST => { } }) do |result, (protected_params, actions, condition, exclusivity)|
         merge_protections(result[exclusivity], protected_params)
         result
       end
@@ -80,36 +78,59 @@ module ParamProtected
         params.each{ |param| normalize_params(param, params_out) }
       elsif params.instance_of?(Hash)
         params.each do |k, v|
-          k = k.to_s
+          k = normalize_key(k)
           params_out[k] = {}
           normalize_params(v, params_out[k])
         end
       else
-        params_out[params.to_s] = nil
+        params_out[normalize_key(params)] = nil
       end
       params_out
     end
+
+    def normalize_key(k)
+      if k.is_a?(Regexp)
+        k
+      else
+        k.to_s
+      end
+    end
     
     # When specifying which actions param protection apply to, we allow a format like this...
     #   :only => [:action1, :action2]
     # This method normalizes that to...
     #   [:only, "action1", "action2"]
-    def normalize_actions(actions)
-      error_message = "invalid actions, use :only => ..., :except => ..., or nil"
-      return [:except, nil] if actions.blank?
-      raise ArgumentError, error_message unless actions.instance_of?(Hash)
-      raise ArgumentError, error_message unless actions.length == 1
-      raise ArgumentError, error_message unless [:only, :except].include?(actions.keys.first)
-      
-      scope, actions = actions.keys.first, actions.values.first
+    def normalize_options(options)
+      error_message = "invalid options, use :only or :except, :if or :unless"
+      return [[:except, nil], [:if, true]] if options.blank?
+
+      raise ArgumentError, error_message unless options.instance_of?(Hash)
+
+      scope = [:only, :except] & options.keys
+      condition = [:if, :unless] & options.keys
+
+      raise ArgumentError, error_message unless (options.keys - [:only, :except, :if, :unless]).empty?
+      raise ArgumentError, error_message if scope.size > 1 || condition.size > 1
+
+      scope = scope.first || :except
+      actions = options[scope]
       actions = [actions] unless actions.instance_of?(Array)
-      actions = actions.collect{ |action| action.to_s }
-      [scope, *actions]
+      actions = actions.collect{ |action| action.try(:to_s) }
+
+      condition = condition.first || :if
+      
+      if options.has_key?(condition)
+        condition_value = options[condition]
+      else
+        condition_value = true
+      end
+      
+      [[scope, *actions], [condition, condition_value]]
     end
     
     # When #dup just isn't enough... :P
     def deep_copy(object)
-      returning(try_to_dup(object)) do |new_object|
+      returning(try_to_clone(object)) do |new_object|
         case new_object
         when Hash
           new_object.each{ |k, v| new_object[k] = deep_copy(v) }
@@ -120,11 +141,28 @@ module ParamProtected
     end
     
     # Some objects are not dupable... like TrueClass, FalseClass and NilClass.
-    def try_to_dup(object)
-      object.dup
+    def try_to_clone(object)
+      object.clone
     rescue TypeError
       object
     end
+
+    def condition_applies?(controller, condition)
+      result = case condition[1]
+               when Proc
+                 condition[1].call(controller)
+               when Symbol, String
+                 controller.send(condition[1])
+               else
+                 condition[1]
+               end
+
+      if condition[0] == :unless
+        not result
+      else
+        result
+      end
+    end
     
     def action_matches?(scope, actions, action_name)
       if action_name.blank?
@@ -142,15 +180,35 @@ module ParamProtected
       return unless params.kind_of?(Hash)
       return if protected_params.nil?
       if exclusivity == BLACKLIST
-        params.delete_if{ |k, v| protected_params.has_key?(k) and protected_params[k].nil? }
+        params.delete_if{ |k, v| key_exists?(protected_params, k) and find_by_key(protected_params, k).nil? }
       elsif exclusivity == WHITELIST
-        params.delete_if{ |k, v| !protected_params.has_key?(k) }
+        params.delete_if{ |k, v| !key_exists?(protected_params, k) }
       else
         raise ArgumentError, "unexpected exclusivity: #{exclusivity}"
       end
       params.each{ |k, v| filter_params(protected_params[k], v, exclusivity) }
       params
     end
+
+    def find_by_key(protected_params, key)
+      protected_params.detect do |k,v|
+        key_matches?(k, key)
+      end.try(:last)
+    end
     
+    def key_exists?(protected_params, key)
+      protected_params.any? do |k,v|
+        key_matches?(k, key)
+      end
+    end
+
+    def key_matches?(k, key)
+      if k.is_a? Regexp
+        key.to_s =~ k
+      else
+        key.to_s == k.to_s
+      end
+    end
+
   end
-end
+end

data/param_protected.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{param_protected}
-  s.version = "1.2.0"
+  s.version = "1.3.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Christopher J. Bottaro"]
-  s.date = %q{2010-02-18}
+  s.date = %q{2010-05-25}
   s.description = %q{Provides two class methods on ActiveController::Base that filter the params hash for that controller's actions.  You can think of them as the controller analog of attr_protected and attr_accessible.}
   s.email = %q{cjbottaro@alumni.cs.utexas.edu}
   s.extra_rdoc_files = [
@@ -34,6 +34,7 @@ Gem::Specification.new do |s|
      "test/app_root/app/controllers/accessible_except_controller.rb",
      "test/app_root/app/controllers/accessible_only_controller.rb",
      "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/app/controllers/conditions_controller.rb",
      "test/app_root/app/controllers/inherited_users_controller.rb",
      "test/app_root/app/controllers/merge_controller.rb",
      "test/app_root/app/controllers/protected_controller.rb",
@@ -48,6 +49,7 @@ Gem::Specification.new do |s|
      "test/app_root/config/environments/sqlite3.rb",
      "test/app_root/config/routes.rb",
      "test/app_root/lib/console_with_fixtures.rb",
+     "test/conditions_controller_test.rb",
      "test/inherited_users_controller_test.rb",
      "test/merge_controller_test.rb",
      "test/protected_controller_test.rb",
@@ -59,7 +61,7 @@ Gem::Specification.new do |s|
   s.homepage = %q{http://github.com/cjbottaro/param_protected}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.5}
+  s.rubygems_version = %q{1.3.6}
   s.summary = %q{Filter unwanted parameters in your controllers and actions.}
   s.test_files = [
     "test/accessible_except_test.rb",
@@ -67,6 +69,7 @@ Gem::Specification.new do |s|
      "test/app_root/app/controllers/accessible_except_controller.rb",
      "test/app_root/app/controllers/accessible_only_controller.rb",
      "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/app/controllers/conditions_controller.rb",
      "test/app_root/app/controllers/inherited_users_controller.rb",
      "test/app_root/app/controllers/merge_controller.rb",
      "test/app_root/app/controllers/protected_controller.rb",
@@ -80,6 +83,7 @@ Gem::Specification.new do |s|
      "test/app_root/config/environments/sqlite3.rb",
      "test/app_root/config/routes.rb",
      "test/app_root/lib/console_with_fixtures.rb",
+     "test/conditions_controller_test.rb",
      "test/inherited_users_controller_test.rb",
      "test/merge_controller_test.rb",
      "test/protected_controller_test.rb",

data/test/app_root/app/controllers/conditions_controller.rb

@@ -0,0 +1,21 @@
+class ConditionsController < ApplicationController
+  param_accessible :a, :if => :something?
+  param_accessible :b, :unless => false
+  param_protected  :b, :if => :first_action?
+  param_accessible :c, :if => lambda { |controller| controller.instance_eval { first_action? } }
+  
+  def first; end
+  
+  def second; end
+
+  protected
+  
+  def something?
+    true
+  end
+
+  def first_action?
+    action_name == 'first'
+  end
+  
+end

data/test/app_root/app/controllers/users_controller.rb

@@ -1,5 +1,5 @@
 class UsersController < ApplicationController
-  param_accessible( {:user => [ {:name => [:first, :last]}, :email ]} )
+  param_accessible( {:user => [ {:name => [:first, :last], /\A\d+\z/ => :ok}, :email ]} )
   
   def create; end
   def update; end

data/test/conditions_controller_test.rb

@@ -0,0 +1,13 @@
+require "test_helper"
+
+class ConditionsControllerTest < ActionController::TestCase
+  
+  test_action :first do
+    assert_params %w[a c]
+  end
+  
+  test_action :second do
+    assert_params %w[a b]
+  end
+  
+end

data/test/protector_test.rb

@@ -20,25 +20,29 @@ class HelpersTest < Test::Unit::TestCase
     assert_equal({"something" => {"stuff" => nil, "blah" => {"bleck" => nil}}}, params)
   end
   
-  def test_normalize_actions
-    actions = @protector.send(:normalize_actions, nil)
-    assert_equal [:except, nil], actions
+  def test_normalize_options
+    options = @protector.send(:normalize_options, nil)
+    assert_equal [[:except, nil], [:if, true]], options
     
-    actions = @protector.send(:normalize_actions, :only => :blah)
-    assert_equal [:only, "blah"], actions
+    options = @protector.send(:normalize_options, :only => :blah)
+    assert_equal [[:only, "blah"], [:if, true]], options
     
-    actions = @protector.send(:normalize_actions, :only => [:blah, :bleck])
-    assert_equal [:only, "blah", "bleck"], actions
+    options = @protector.send(:normalize_options, :only => [:blah, :bleck])
+    assert_equal [[:only, "blah", "bleck"], [:if, true]], options
     
-    actions = @protector.send(:normalize_actions, :except => :blah)
-    assert_equal [:except, "blah"], actions
+    options = @protector.send(:normalize_options, :except => :blah)
+    assert_equal [[:except, "blah"], [:if, true]], options
     
-    actions = @protector.send(:normalize_actions, :except => [:blah, :bleck])
-    assert_equal [:except, "blah", "bleck"], actions
+    options = @protector.send(:normalize_options, :except => [:blah, :bleck])
+    assert_equal [[:except, "blah", "bleck"], [:if, true]], options
+
+    options = @protector.send(:normalize_options, :unless => :foo?)
+    assert_equal [[:except, nil], [:unless, :foo?]], options
     
-    assert_raises(ArgumentError){ @protector.send(:normalize_actions, :onlyy => :blah) }
-    assert_raises(ArgumentError){ @protector.send(:normalize_actions, :blah) }
-    assert_raises(ArgumentError){ @protector.send(:normalize_actions, :only => :something, :except => :something) }
+    assert_raises(ArgumentError){ @protector.send(:normalize_options, :onlyy => :blah) }
+    assert_raises(ArgumentError){ @protector.send(:normalize_options, :blah) }
+    assert_raises(ArgumentError){ @protector.send(:normalize_options, :only => :something, :except => :something) }
+    assert_raises(ArgumentError){ @protector.send(:normalize_options, :if => :something, :unless => :something) }
   end
   
   def test_deep_copy

data/test/users_controller_test.rb

@@ -2,11 +2,15 @@ require "test_helper"
 
 class UsersControllerTest < ActionController::TestCase
   PARAMS = { :user => { :id => 123,
-                          :name => { :first => "chris", :middle => "james", :last => "bottaro"},
-                          :email => "cjbottaro@blah.com" },
+                        '33' => 'ok',
+                        '123' => 'ok',
+                        :x21 => 'ok',
+                        :name => { :first => "chris", :middle => "james", :last => "bottaro"},
+                        :email => "cjbottaro@blah.com" },
              :something => "something" }
              
   EXPECTED_PARAMS = { "user" => { "name" => {"first" => "chris", "last" => "bottaro"},
+                                  '33' => 'ok', '123' => 'ok',
                                   "email" => "cjbottaro@blah.com" } }
   
   def test_create

metadata

@@ -1,7 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: param_protected
 version: !ruby/object:Gem::Version 
-  version: 1.2.0
+  prerelease: false
+  segments: 
+  - 1
+  - 3
+  - 0
+  version: 1.3.0
 platform: ruby
 authors: 
 - Christopher J. Bottaro
@@ -9,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-02-18 00:00:00 -06:00
+date: 2010-05-25 00:00:00 -05:00
 default_executable: 
 dependencies: []
 
@@ -40,6 +45,7 @@ files:
 - test/app_root/app/controllers/accessible_except_controller.rb
 - test/app_root/app/controllers/accessible_only_controller.rb
 - test/app_root/app/controllers/application_controller.rb
+- test/app_root/app/controllers/conditions_controller.rb
 - test/app_root/app/controllers/inherited_users_controller.rb
 - test/app_root/app/controllers/merge_controller.rb
 - test/app_root/app/controllers/protected_controller.rb
@@ -54,6 +60,7 @@ files:
 - test/app_root/config/environments/sqlite3.rb
 - test/app_root/config/routes.rb
 - test/app_root/lib/console_with_fixtures.rb
+- test/conditions_controller_test.rb
 - test/inherited_users_controller_test.rb
 - test/merge_controller_test.rb
 - test/protected_controller_test.rb
@@ -74,18 +81,20 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      segments: 
+      - 0
       version: "0"
-  version: 
 required_rubygems_version: !ruby/object:Gem::Requirement 
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      segments: 
+      - 0
       version: "0"
-  version: 
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.5
+rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
 summary: Filter unwanted parameters in your controllers and actions.
@@ -95,6 +104,7 @@ test_files:
 - test/app_root/app/controllers/accessible_except_controller.rb
 - test/app_root/app/controllers/accessible_only_controller.rb
 - test/app_root/app/controllers/application_controller.rb
+- test/app_root/app/controllers/conditions_controller.rb
 - test/app_root/app/controllers/inherited_users_controller.rb
 - test/app_root/app/controllers/merge_controller.rb
 - test/app_root/app/controllers/protected_controller.rb
@@ -108,6 +118,7 @@ test_files:
 - test/app_root/config/environments/sqlite3.rb
 - test/app_root/config/routes.rb
 - test/app_root/lib/console_with_fixtures.rb
+- test/conditions_controller_test.rb
 - test/inherited_users_controller_test.rb
 - test/merge_controller_test.rb
 - test/protected_controller_test.rb