permitted_params 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: bc6f54f9bb3a7230d920553c7defd0017d8bfae0
+  data.tar.gz: 440ab938bf3e56db771a9e39dea2e9d1931d7d87
+SHA512:
+  metadata.gz: 855848a2a11215791b3eaa9984b6e6473f1567d83747c2908af312796dfd01b21c45da1d72b36a9aca0cbe86260ff24bc1b543679ebc8582c2afd5c5d2fc49c7
+  data.tar.gz: 2a528993c319fef9637f271ef437fec27b192111bbde5668d5b62f2224ddd7cdc3a3adbeb3017c23f7f76481c7d360e9e803645d47c1aa5d4dedace9aa85ef67

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Amitree
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,75 @@
+permitted\_params
+================
+
+The move from **attr_accessible** to Strong Parameters arguably improved
+security by increasing developers' awareness and visibility of which
+attributes were whitelisted for mass assignment.  But once you get
+beyond toy applications, the standard practice of defining a
+`foo_params` method in each `FooController` leads to a lot of duplicated
+code, as you find yourself nesting the same structure in many different
+places.
+
+The `permitted_params` gem addresses this problem by allowing you to
+specify the mass-assignment rules in a single location using a very
+simple DSL.
+
+This work was inspired by
+[RailsCast #371](http://railscasts.com/episodes/371-strong-parameters). 
+Thanks, [ryanb](https://github.com/ryanb)!
+
+Usage
+-----
+
+Add to your Gemfile:
+
+```ruby
+gem 'permitted_params'
+```
+
+Then create an initializer, `config/initializers/permitted_params.rb`:
+
+```ruby
+PermittedParams.setup do |config|
+  config.user do
+    # We always permit username and password to be mass-assigned
+    scalar :username, :password
+
+    # email can be mass-assigned from create (but not from update)
+    scalar :email if action_is(:create)
+
+    # Only admins can change the is_admin flag.  Note that we can call
+    # any controller methods (including current_user) from this scope.
+    scalar :is_admin if current_user.admin?
+
+    # We permit job_ids to be an array of scalar values
+    array :job_ids
+
+    # We permit person_attributes containing the whitelisted attributes
+    # of person (see definition below)
+    nested :person
+  end
+
+  config.person do
+    # Inheritance!
+    inherits :thing_with_name
+  end
+
+  config.thing_with_name do
+    scalar :name
+  end
+end
+```
+
+Now in your controllers, you can simply write:
+
+```ruby
+@user = User.create(permitted_params.user)
+```
+
+or:
+
+```ruby
+user_attributes = { ... some hash ... }
+@user = User.create(permitted_params.user(user_attributes))
+```
+

data/lib/permitted_params.rb

@@ -0,0 +1,106 @@
+class PermittedParams < Struct.new(:params, :controller)
+  def method_missing(method, *args, &block)
+    if method.match /_attributes\z/
+      super
+    else
+      params_hash = args.length > 0 ? args[0] : params[method]
+      permit(params_hash, method)
+    end
+  end
+
+  def permit(params, as_type)
+    attrs_method = "#{as_type}_attributes".to_sym
+    permitted_params = send(attrs_method)
+    begin
+      params.try(:permit, *permitted_params)
+    rescue => e
+      Rails.logger.warn "Exception caught in PermittedParams"
+      Rails.logger.warn "params: #{params.inspect}"
+      Rails.logger.warn "permitted_params: #{permitted_params.inspect}"
+      raise e
+    end
+  end
+
+  def self.define(symbol, &block)
+    define_method("#{symbol}_attributes") do
+      attrs = Attributes.new(self)
+      attrs.instance_eval(&block)
+      attrs.attributes
+    end
+  end
+
+  def self.setup(&block)
+    block.call(Configurator.new)
+  end
+
+  class Configurator
+    def method_missing(method, *args, &block)
+      ::PermittedParams.define(method, &block)
+    end
+  end
+
+  class Attributes
+    attr_accessor :attributes
+
+    def initialize(permitted_params)
+      @attributes = []
+      @permitted_params = permitted_params
+    end
+
+    def scalar(*attrs)
+      self.attributes += attrs
+    end
+
+    def array(*attrs)
+      attrs.each do |attr|
+        self.attributes << {attr => []}
+      end
+    end
+
+    def nested(*attrs_or_options)
+      attrs = attrs_or_options
+      if attrs_or_options.last.is_a? Hash
+        options = attrs_or_options.pop
+      else
+        options = {}
+      end
+
+      attrs.each do |attr|
+        # attr is like questions or questions_attributes
+        attr = attr.to_s.gsub(/_attributes\z/, '')
+        singular_attr = attr.singularize
+
+        child_attrs = @permitted_params.send("#{singular_attr}_attributes")
+        child_attrs << :id
+        child_attrs << :_destroy if options[:allow_destroy]
+        self.attributes << {"#{attr}_attributes".to_sym => child_attrs}
+      end
+    end
+
+    def inherits(*other_attrs)
+      other_attrs.each do |other_attr|
+        self.attributes += @permitted_params.send("#{other_attr}_attributes")
+      end
+    end
+
+    def action_is(action_name)
+      @permitted_params.params[:action].to_sym == action_name.to_sym
+    end
+
+    def method_missing(method, *args, &block)
+      controller = @permitted_params.controller
+      if controller.respond_to? method
+        controller.send(method, *args, &block)
+      else
+        super
+      end
+    end
+  end
+end
+
+class ActionController::Base
+protected
+  def permitted_params
+    PermittedParams.new(params, self)
+  end
+end

metadata

@@ -0,0 +1,46 @@
+--- !ruby/object:Gem::Specification
+name: permitted_params
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Tony Novak
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-02-08 00:00:00.000000000 Z
+dependencies: []
+description: Permitted Params
+email: tony@amitree.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/permitted_params.rb
+- LICENSE
+- README.md
+homepage: http://rubygems.org/gems/permitted_params
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.3
+signing_key: 
+specification_version: 4
+summary: Permitted Params
+test_files: []