protected_attributes 1.0.0

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.travis.yml

@@ -0,0 +1,17 @@
+language: ruby
+before_install:
+  - gem install bundler
+rvm:
+  - 1.9.3
+notifications:
+  email: false
+  irc:
+    on_success: change
+    on_failure: always
+    channels:
+      - "irc.freenode.org#rails-contrib"
+  campfire:
+    on_success: change
+    on_failure: always
+    rooms:
+      - secure: "CGWvthGkBKNnTnk9YSmf9AXKoiRI33fCl5D3jU4nx3cOPu6kv2R9nMjt9EAo\nOuS4Q85qNSf4VNQ2cUPNiNYSWQ+XiTfivKvDUw/QW9r1FejYyeWarMsSBWA+\n0fADjF1M2dkDIVLgYPfwoXEv7l+j654F1KLKB69F0F/netwP9CQ="

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in protected_attributes.gemspec
+gem 'rails', github: 'rails/rails', branch: 'master'
+gem 'activerecord-deprecated_finders', github: 'rails/activerecord-deprecated_finders', branch: 'master'
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Guillermo Iguaran
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,111 @@
+# ProtectedAttributes
+
+Protect attributes from mass-assignment in ActiveRecord models.
+
+This plugin adds `attr_accessible` and `attr_protected` in your models.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'protected_attributes'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install protected_attributes
+
+## Usage
+
+Mass assignment security provides an interface for protecting attributes from end-user assignment. This plugin provides two class methods in your Active Record class to control access to your attributes. The `attr_protected` method takes a list of attributes that will not be accessible for mass-assignment. 
+
+For example:
+
+    attr_protected :admin
+
+`attr_protected` also optionally takes a role option using `:as` which allows you to define multiple mass-assignment groupings. If no role is defined then attributes will be added to the `:default` role.
+
+    attr_protected :last_login, :as => :admin
+
+A much better way, because it follows the whitelist-principle, is the `attr_accessible` method. It is the exact opposite of `attr_protected`, because it takes a list of attributes that will be accessible. All other attributes will be protected. This way you won’t forget to protect attributes when adding new ones in the course of development. Here is an example:
+
+    attr_accessible :name
+    attr_accessible :name, :is_admin, :as => :admin
+
+If you want to set a protected attribute, you will to have to assign it individually:
+
+    params[:user] # => {:name => "owned", :admin => true}
+    @user = User.new(params[:user])
+    @user.admin # => false, not mass-assigned
+    @user.admin = true
+    @user.admin # => true
+
+When assigning attributes in Active Record using `attributes=` the `:default` role will be used. To assign attributes using different roles you should use `assign_attributes` which accepts an optional `:as` options parameter. If no `:as` option is provided then the `:default` role will be used. 
+You can also bypass mass-assignment security by using the `:without_protection` option. Here is an example:
+
+    @user = User.new
+ 
+    @user.assign_attributes({ :name => 'Josh', :is_admin => true })
+    @user.name # => Josh
+    @user.is_admin # => false
+ 
+    @user.assign_attributes({ :name => 'Josh', :is_admin => true }, :as => :admin)
+    @user.name # => Josh
+    @user.is_admin # => true
+ 
+    @user.assign_attributes({ :name => 'Josh', :is_admin => true }, :without_protection => true)
+    @user.name # => Josh
+    @user.is_admin # => true
+
+In a similar way, `new`, `create`, `create!`, `update_attributes` and `update_attributes!` methods all respect mass-assignment security and accept either `:as` or `:without_protection` options. For example:
+
+    @user = User.new({ :name => 'Sebastian', :is_admin => true }, :as => :admin)
+    @user.name # => Sebastian
+    @user.is_admin # => true
+ 
+    @user = User.create({ :name => 'Sebastian', :is_admin => true }, :without_protection => true)
+    @user.name # => Sebastian
+    @user.is_admin # => true
+
+A more paranoid technique to protect your whole project would be to enforce that all models define their accessible attributes. 
+This can be easily achieved with a very simple application config option of:
+
+    config.active_record.whitelist_attributes = true
+
+This will create an empty whitelist of attributes available for mass-assignment for all models in your app. 
+As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an `attr_accessible` or `attr_protected` declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via `attr_accessible` or `attr_protected`), as dictated by your failing test.
+
+For more complex permissions, mass-assignment security may be handled outside the model by extending a non-ActiveRecord class, such as a controller, with this behavior.
+
+For example, a logged-in user may need to assign additional attributes depending on their role:
+
+    class AccountsController < ApplicationController
+      include ActiveModel::MassAssignmentSecurity
+
+      attr_accessible :first_name, :last_name
+      attr_accessible :first_name, :last_name, :plan_id, :as => :admin
+
+      def update
+        ...
+        @account.update_attributes(account_params)
+        ...
+      end
+
+      protected
+
+      def account_params
+        role = admin ? :admin : :default
+        sanitize_for_mass_assignment(params[:account], role)
+      end
+    end
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,11 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs = ["test"]
+  t.pattern = "test/**/*_test.rb"
+  t.ruby_opts = ['-w']
+end
+
+task :default => :test

data/lib/action_controller/accessible_params_wrapper.rb

@@ -0,0 +1,29 @@
+require 'active_support/concern'
+require 'action_controller'
+require 'action_controller/metal/params_wrapper'
+
+module ActionController
+  module ParamsWrapper
+    class Options # :nodoc:
+      def include
+        return super if @include_set
+
+        m = model
+        synchronize do
+          return super if @include_set
+
+          @include_set = true
+
+          unless super || exclude
+
+            if m.respond_to?(:accessible_attributes) && m.accessible_attributes(:default).present?
+              self.include = m.accessible_attributes(:default).to_a
+            elsif m.respond_to?(:attribute_names) && m.attribute_names.any?
+              self.include = m.attribute_names
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/active_model/mass_assignment_security.rb

@@ -0,0 +1,353 @@
+require 'active_support/concern'
+require 'active_support/core_ext/class/attribute'
+require 'active_support/core_ext/string/inflections'
+require 'active_model'
+require 'active_model/mass_assignment_security/permission_set'
+require 'active_model/mass_assignment_security/sanitizer'
+
+module ActiveModel
+  # == Active Model Mass-Assignment Security
+  #
+  # Mass assignment security provides an interface for protecting attributes
+  # from end-user assignment. For more complex permissions, mass assignment
+  # security may be handled outside the model by extending a non-ActiveRecord
+  # class, such as a controller, with this behavior.
+  #
+  # For example, a logged in user may need to assign additional attributes
+  # depending on their role:
+  #
+  #   class AccountsController < ApplicationController
+  #     include ActiveModel::MassAssignmentSecurity
+  #
+  #     attr_accessible :first_name, :last_name
+  #     attr_accessible :first_name, :last_name, :plan_id, as: :admin
+  #
+  #     def update
+  #       ...
+  #       @account.update_attributes(account_params)
+  #       ...
+  #     end
+  #
+  #     protected
+  #
+  #     def account_params
+  #       role = admin ? :admin : :default
+  #       sanitize_for_mass_assignment(params[:account], role)
+  #     end
+  #
+  #   end
+  #
+  # === Configuration options
+  #
+  # * <tt>mass_assignment_sanitizer</tt> - Defines sanitize method. Possible
+  #   values are:
+  #   * <tt>:logger</tt> (default) - writes filtered attributes to logger
+  #   * <tt>:strict</tt> - raise <tt>ActiveModel::MassAssignmentSecurity::Error</tt>
+  #     on any protected attribute update.
+  #
+  # You can specify your own sanitizer object eg. <tt>MySanitizer.new</tt>.
+  # See <tt>ActiveModel::MassAssignmentSecurity::LoggerSanitizer</tt> for
+  # example implementation.
+  module MassAssignmentSecurity
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_accessible_attributes, instance_writer: false
+      class_attribute :_protected_attributes,  instance_writer: false
+      class_attribute :_active_authorizer,     instance_writer: false
+
+      class_attribute :_mass_assignment_sanitizer, instance_writer: false
+      self.mass_assignment_sanitizer = :logger
+    end
+
+    module ClassMethods
+      # Attributes named in this macro are protected from mass-assignment
+      # whenever attributes are sanitized before assignment. A role for the
+      # attributes is optional, if no role is provided then <tt>:default</tt>
+      # is used. A role can be defined by using the <tt>:as</tt> option with a
+      # symbol or an array of symbols as the value.
+      #
+      # Mass-assignment to these attributes will simply be ignored, to assign
+      # to them you can use direct writer methods. This is meant to protect
+      # sensitive attributes from being overwritten by malicious users
+      # tampering with URLs or forms.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :email, :logins_count
+      #
+      #     attr_protected :logins_count
+      #     # Suppose that admin can not change email for customer
+      #     attr_protected :logins_count, :email, as: :admin
+      #
+      #     def assign_attributes(values, options = {})
+      #       sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
+      #         send("#{k}=", v)
+      #       end
+      #     end
+      #   end
+      #
+      # When using the <tt>:default</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', email: 'a@b.com', logins_count: 5 }, as: :default)
+      #   customer.name         # => "David"
+      #   customer.email        # => "a@b.com"
+      #   customer.logins_count # => nil
+      #
+      # And using the <tt>:admin</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', email: 'a@b.com', logins_count: 5}, as: :admin)
+      #   customer.name         # => "David"
+      #   customer.email        # => nil
+      #   customer.logins_count # => nil
+      #
+      #   customer.email = 'c@d.com'
+      #   customer.email # => "c@d.com"
+      #
+      # To start from an all-closed default and enable attributes as needed,
+      # have a look at +attr_accessible+.
+      #
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_protected+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
+      def attr_protected(*args)
+        options = args.extract_options!
+        role = options[:as] || :default
+
+        self._protected_attributes = protected_attributes_configs.dup
+
+        Array(role).each do |name|
+          self._protected_attributes[name] = self.protected_attributes(name) + args
+        end
+
+        self._active_authorizer = self._protected_attributes
+      end
+
+      # Specifies a white list of model attributes that can be set via
+      # mass-assignment.
+      #
+      # Like +attr_protected+, a role for the attributes is optional,
+      # if no role is provided then <tt>:default</tt> is used. A role can be
+      # defined by using the <tt>:as</tt> option with a symbol or an array of
+      # symbols as the value.
+      #
+      # This is the opposite of the +attr_protected+ macro: Mass-assignment
+      # will only set attributes in this list, to assign to the rest of
+      # attributes you can use direct writer methods. This is meant to protect
+      # sensitive attributes from being overwritten by malicious users
+      # tampering with URLs or forms. If you'd rather start from an all-open
+      # default and restrict attributes as needed, have a look at
+      # +attr_protected+.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :credit_rating
+      #
+      #     # Both admin and default user can change name of a customer
+      #     attr_accessible :name, as: [:admin, :default]
+      #     # Only admin can change credit rating of a customer
+      #     attr_accessible :credit_rating, as: :admin
+      #
+      #     def assign_attributes(values, options = {})
+      #       sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
+      #         send("#{k}=", v)
+      #       end
+      #     end
+      #   end
+      #
+      # When using the <tt>:default</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', credit_rating: 'Excellent', last_login: 1.day.ago }, as: :default)
+      #   customer.name          # => "David"
+      #   customer.credit_rating # => nil
+      #
+      #   customer.credit_rating = 'Average'
+      #   customer.credit_rating # => "Average"
+      #
+      # And using the <tt>:admin</tt> role:
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes({ name: 'David', credit_rating: 'Excellent', last_login: 1.day.ago }, as: :admin)
+      #   customer.name          # => "David"
+      #   customer.credit_rating # => "Excellent"
+      #
+      # Note that using <tt>Hash#except</tt> or <tt>Hash#slice</tt> in place of
+      # +attr_accessible+ to sanitize attributes provides basically the same
+      # functionality, but it makes a bit tricky to deal with nested attributes.
+      def attr_accessible(*args)
+        options = args.extract_options!
+        role = options[:as] || :default
+
+        self._accessible_attributes = accessible_attributes_configs.dup
+
+        Array(role).each do |name|
+          self._accessible_attributes[name] = self.accessible_attributes(name) + args
+        end
+
+        self._active_authorizer = self._accessible_attributes
+      end
+
+      # Returns an instance of <tt>ActiveModel::MassAssignmentSecurity::BlackList</tt>
+      # with the attributes protected by #attr_protected method. If no +role+
+      # is provided, then <tt>:default</tt> is used.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :email, :logins_count
+      #
+      #     attr_protected :logins_count
+      #     attr_protected :logins_count, :email, as: :admin
+      #   end
+      #
+      #   Customer.protected_attributes
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count"}>
+      #
+      #   Customer.protected_attributes(:default)
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count"}>
+      #
+      #   Customer.protected_attributes(:admin)
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {"logins_count", "email"}>
+      def protected_attributes(role = :default)
+        protected_attributes_configs[role]
+      end
+
+      # Returns an instance of <tt>ActiveModel::MassAssignmentSecurity::WhiteList</tt>
+      # with the attributes protected by #attr_accessible method. If no +role+
+      # is provided, then <tt>:default</tt> is used.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :credit_rating
+      #
+      #     attr_accessible :name, as: [:admin, :default]
+      #     attr_accessible :credit_rating, as: :admin
+      #   end
+      #
+      #   Customer.accessible_attributes
+      #   # => #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name"}>
+      #
+      #   Customer.accessible_attributes(:default)
+      #   # => #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name"}>
+      #
+      #   Customer.accessible_attributes(:admin)
+      #   # => #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name", "credit_rating"}>
+      def accessible_attributes(role = :default)
+        accessible_attributes_configs[role]
+      end
+
+      # Returns a hash with the protected attributes (by #attr_accessible or
+      # #attr_protected) per role.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name, :credit_rating
+      #
+      #     attr_accessible :name, as: [:admin, :default]
+      #     attr_accessible :credit_rating, as: :admin
+      #   end
+      #
+      #   Customer.active_authorizers
+      #   # => {
+      #   #       :admin=> #<ActiveModel::MassAssignmentSecurity::WhiteList: {"name", "credit_rating"}>,
+      #   #       :default=>#<ActiveModel::MassAssignmentSecurity::WhiteList: {"name"}>
+      #   #    }
+      def active_authorizers
+        self._active_authorizer ||= protected_attributes_configs
+      end
+      alias active_authorizer active_authorizers
+
+      # Returns an empty array by default. You can still override this to define
+      # the default attributes protected by #attr_protected method.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     def self.attributes_protected_by_default
+      #       [:name]
+      #     end
+      #   end
+      #
+      #   Customer.protected_attributes
+      #   # => #<ActiveModel::MassAssignmentSecurity::BlackList: {:name}>
+      def attributes_protected_by_default
+        []
+      end
+
+      # Defines sanitize method.
+      #
+      #   class Customer
+      #     include ActiveModel::MassAssignmentSecurity
+      #
+      #     attr_accessor :name
+      #
+      #     attr_protected :name
+      #
+      #     def assign_attributes(values)
+      #       sanitize_for_mass_assignment(values).each do |k, v|
+      #         send("#{k}=", v)
+      #       end
+      #     end
+      #   end
+      #
+      #   # See ActiveModel::MassAssignmentSecurity::StrictSanitizer for more information.
+      #   Customer.mass_assignment_sanitizer = :strict
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes(name: 'David')
+      #   # => ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes for Customer: name
+      #
+      # Also, you can specify your own sanitizer object.
+      #
+      #   class CustomSanitizer < ActiveModel::MassAssignmentSecurity::Sanitizer
+      #     def process_removed_attributes(klass, attrs)
+      #       raise StandardError
+      #     end
+      #   end
+      #
+      #   Customer.mass_assignment_sanitizer = CustomSanitizer.new
+      #
+      #   customer = Customer.new
+      #   customer.assign_attributes(name: 'David')
+      #   # => StandardError: StandardError
+      def mass_assignment_sanitizer=(value)
+        self._mass_assignment_sanitizer = if value.is_a?(Symbol)
+          const_get(:"#{value.to_s.camelize}Sanitizer").new(self)
+        else
+          value
+        end
+      end
+
+      private
+
+      def protected_attributes_configs
+        self._protected_attributes ||= begin
+          Hash.new { |h,k| h[k] = BlackList.new(attributes_protected_by_default) }
+        end
+      end
+
+      def accessible_attributes_configs
+        self._accessible_attributes ||= begin
+          Hash.new { |h,k| h[k] = WhiteList.new }
+        end
+      end
+    end
+
+  protected
+
+    def sanitize_for_mass_assignment(attributes, role = nil) #:nodoc:
+      _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
+    end
+
+    def mass_assignment_authorizer(role) #:nodoc:
+      self.class.active_authorizer[role || :default]
+    end
+  end
+end