parameter_filter 1.0.0

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in activerecord-parameter_filter.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Alex McHale
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,43 @@
+parameter_filter
+================
+
+Summary
+-------
+
+ParameterFilter is a module to mix into ActionController subclasses. It inserts
+a before_filter which will automatically remove any fields in params that are
+not explicitly allowed.
+
+Installation
+------------
+
+Include the following in your Gemfile:
+
+    gem "parameter_filter"
+
+Usage
+-----
+
+For global security, include the following in your ApplicationController:
+
+    include ParameterFilter
+
+Then, inside each of you controllers, specify what fields you want each action
+to receive:
+
+    # Accept user[email] and user[password] on the create and update actions.
+    accepts :fields => { :user => [ :email, :password ] }, :on => [ :create, :update ]
+
+    # Accept user[email] and user[password] on all actions.
+    accepts fields: { user: %w( email password ) } 
+
+    # Accept q on the search action.
+    accepts field: "q", on: "search"
+
+    # Accept q and sort on the search and index actions.
+    accepts fields: [ :q, :sort ], on: %w( search index )
+
+ParameterFilter should be pretty flexible in what you throw at it.
+
+NOTE: All actions are automatically allowed to receive :controller, :action and
+:id.

data/Rakefile

@@ -0,0 +1,9 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/*_test.rb'
+  t.verbose = true
+end

data/lib/parameter_filter.rb

@@ -0,0 +1,98 @@
+require "parameter_filter/version"
+
+# When a controller has ParameterFilter included, it will by default remove
+# everything from params. The way to receive parameters is to specifically
+# allow them with accept_fields.
+
+module ParameterFilter
+
+  module ClassMethods
+
+    def accept_fields_parser fields
+      table = {}
+
+      [fields].flatten.compact.uniq.each do |field|
+        case field
+
+        when Symbol, String
+          table[field.to_s] = {}
+
+        when Hash
+          field.each do |key, value|
+            table[key.to_s] = accept_fields_parser value
+          end
+
+        end
+      end
+
+      table
+    end
+
+    def accepts options = {}
+      @_accepted_fields ||= { nil => { "controller" => {}, "action" => {}, "id" => {} } }
+      fields = options[:fields] || options[:field] || {}
+
+      case options[:on]
+      when Array
+        options[:on].each do |k|
+          @_accepted_fields[k.to_s] = accept_fields_parser fields
+        end
+
+      when Symbol, String
+        @_accepted_fields[options[:on].to_s] = accept_fields_parser fields
+
+      else
+        @_accepted_fields[nil] ||= {}
+        @_accepted_fields[nil].merge! accept_fields_parser fields
+
+      end
+    end
+
+  end
+
+  module InstanceMethods
+
+    def remove_filtered_parameters accepted_fields = nil, parameters = nil
+      if !accepted_fields && !parameters
+        accepted_fields = self.class.instance_variable_get("@_accepted_fields") || {}
+        fields = (accepted_fields[nil] || {}).merge(accepted_fields[self.action_name] || {})
+        remove_filtered_parameters fields, self.params
+      elsif parameters
+        accepted_keys = ParameterFilter.field_keys accepted_fields
+        accepted_keys += [ :controller, :action, :id ] if parameters == params
+        parameters.slice! *accepted_keys
+
+        ParameterFilter.each_field accepted_fields do |k, v|
+          remove_filtered_parameters v, parameters[k] if parameters[k].kind_of? Hash
+        end
+      end
+    end
+
+  end
+
+  def self.each_field fields
+    [ fields ].flatten.compact.uniq.each do |f|
+      case f
+      when Hash then f.each { |k, v| yield k, v }
+      when String, Symbol then yield f
+      end
+    end
+  end
+
+  def self.field_keys fields
+    fields.map do |field|
+      case field
+      when Array then field_keys field
+      when Hash then field.keys
+      else field
+      end
+    end.flatten.compact.uniq
+  end
+
+  def self.included base
+    base.send :extend, ClassMethods
+    base.send :include, InstanceMethods
+    base.send :before_filter, :remove_filtered_parameters
+  end
+
+end

data/lib/parameter_filter/version.rb

@@ -0,0 +1,5 @@
+module Activerecord
+  module ParameterFilter
+    VERSION = "1.0.0"
+  end
+end

data/parameter_filter.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "parameter_filter/version"
+
+Gem::Specification.new do |s|
+  s.name        = "parameter_filter"
+  s.version     = Activerecord::ParameterFilter::VERSION
+  s.authors     = ["Alex McHale"]
+  s.email       = ["alex@anticlever.com"]
+  s.homepage    = ""
+  s.summary     = %q{A gem to easily filter out unwanted parameters in ActionController.}
+  s.description = %q{A gem to easily filter out unwanted parameters in ActionController.}
+
+  s.rubyforge_project = "parameter_filter"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+  # s.add_runtime_dependency "rest-client"
+end

data/test/parameter_filter_test.rb

@@ -0,0 +1,57 @@
+require "test_helper"
+
+class ParamterFilterTest < MiniTest::Unit::TestCase
+
+  def test_class_with_parameter_filter
+    klass = Class.new
+    klass.expects(:before_filter).with(:remove_filtered_parameters).once
+    klass.send :include, ParameterFilter
+  end
+
+  def test_allowing_core_parameters
+    controller = self.filtered_controller
+    controller.params = { controller: "users", action: "index", id: 123 }
+    controller.remove_filtered_parameters
+    assert_equal [ :controller, :action, :id ], controller.params.keys
+  end
+
+  def test_removing_noncore_parameters
+    controller = self.filtered_controller
+    controller.params = { foo: 999 }
+    assert_equal 999, controller.params[:foo]
+    controller.remove_filtered_parameters
+    assert_equal nil, controller.params[:foo]
+  end
+
+  def test_allowing_nested_fields
+    controller = self.filtered_controller fields: { user: "email" }
+    controller.params = { "user" => { "email" => "joe@example.com" } }
+    assert_equal "joe@example.com", controller.params["user"]["email"]
+    controller.remove_filtered_parameters
+    assert_equal "joe@example.com", controller.params["user"]["email"]
+  end
+
+  def test_removing_nested_fields
+    controller = self.filtered_controller
+    controller.params = { "user" => { "email" => "joe@example.com" } }
+    assert_equal "joe@example.com", controller.params["user"]["email"]
+    controller.remove_filtered_parameters
+    assert_equal nil, controller.params["user"]
+  end
+
+  protected
+
+  def filtered_controller options = {}
+    klass = Class.new
+    klass.stubs :before_filter
+    klass.send :include, ParameterFilter
+    klass.send :accepts, options
+
+    klass.new.tap do |controller|
+      def controller.action_name; "index"; end
+      def controller.params; @params ||= {}; end
+      def controller.params= p; @params = p; end
+    end
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,39 @@
+require "parameter_filter"
+require "minitest/autorun"
+require "minitest/mock"
+require "turn/autorun"
+require "mocha"
+
+# Taken from Rails for testing purposes, as they're the what the entire gem leans.
+class Hash
+  # Slice a hash to include only the given keys. This is useful for
+  # limiting an options hash to valid keys before passing to a method:
+  #
+  #   def search(criteria = {})
+  #     assert_valid_keys(:mass, :velocity, :time)
+  #   end
+  #
+  #   search(options.slice(:mass, :velocity, :time))
+  #
+  # If you have an array of keys you want to limit to, you should splat them:
+  #
+  #   valid_keys = [:mass, :velocity, :time]
+  #   search(options.slice(*valid_keys))
+  def slice(*keys)
+    keys = keys.map! { |key| convert_key(key) } if respond_to?(:convert_key)
+    hash = self.class.new
+    keys.each { |k| hash[k] = self[k] if has_key?(k) }
+    hash
+  end
+
+  # Replaces the hash with only the given keys.
+  # Returns a hash contained the removed key/value pairs
+  #   {:a => 1, :b => 2, :c => 3, :d => 4}.slice!(:a, :b) # => {:c => 3, :d => 4}
+  def slice!(*keys)
+    keys = keys.map! { |key| convert_key(key) } if respond_to?(:convert_key)
+    omit = slice(*self.keys - keys)
+    hash = slice(*keys)
+    replace(hash)
+    omit
+  end
+end

metadata

@@ -0,0 +1,57 @@
+--- !ruby/object:Gem::Specification
+name: parameter_filter
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Alex McHale
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-03-26 00:00:00.000000000 Z
+dependencies: []
+description: A gem to easily filter out unwanted parameters in ActionController.
+email:
+- alex@anticlever.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.markdown
+- Rakefile
+- lib/parameter_filter.rb
+- lib/parameter_filter/version.rb
+- parameter_filter.gemspec
+- test/parameter_filter_test.rb
+- test/test_helper.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: parameter_filter
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: A gem to easily filter out unwanted parameters in ActionController.
+test_files:
+- test/parameter_filter_test.rb
+- test/test_helper.rb