protected_attributes 1.0.0

data/lib/active_record/mass_assignment_security/persistence.rb

@@ -0,0 +1,81 @@
+require 'active_support/concern'
+
+module ActiveRecord
+  module MassAssignmentSecurity
+    # = Active Record Persistence
+    module Persistence
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Creates an object (or multiple objects) and saves it to the database, if validations pass.
+        # The resulting object is returned whether the object was saved successfully to the database or not.
+        #
+        # The +attributes+ parameter can be either a Hash or an Array of Hashes. These Hashes describe the
+        # attributes on the objects that are to be created.
+        #
+        # +create+ respects mass-assignment security and accepts either +:as+ or +:without_protection+ options
+        # in the +options+ parameter.
+        #
+        # ==== Examples
+        #   # Create a single new object
+        #   User.create(:first_name => 'Jamie')
+        #
+        #   # Create a single new object using the :admin mass-assignment security role
+        #   User.create({ :first_name => 'Jamie', :is_admin => true }, :as => :admin)
+        #
+        #   # Create a single new object bypassing mass-assignment security
+        #   User.create({ :first_name => 'Jamie', :is_admin => true }, :without_protection => true)
+        #
+        #   # Create an Array of new objects
+        #   User.create([{ :first_name => 'Jamie' }, { :first_name => 'Jeremy' }])
+        #
+        #   # Create a single object and pass it into a block to set other attributes.
+        #   User.create(:first_name => 'Jamie') do |u|
+        #     u.is_admin = false
+        #   end
+        #
+        #   # Creating an Array of new objects using a block, where the block is executed for each object:
+        #   User.create([{ :first_name => 'Jamie' }, { :first_name => 'Jeremy' }]) do |u|
+        #     u.is_admin = false
+        #   end
+        def create(attributes = nil, options = {}, &block)
+          if attributes.is_a?(Array)
+            attributes.collect { |attr| create(attr, options, &block) }
+          else
+            object = new(attributes, options, &block)
+            object.save
+            object
+          end
+        end
+      end
+
+      # Updates the attributes of the model from the passed-in hash and saves the
+      # record, all wrapped in a transaction. If the object is invalid, the saving
+      # will fail and false will be returned.
+      #
+      # When updating model attributes, mass-assignment security protection is respected.
+      # If no +:as+ option is supplied then the +:default+ role will be used.
+      # If you want to bypass the forbidden attributes protection then you can do so using
+      # the +:without_protection+ option.
+      def update_attributes(attributes, options = {})
+        # The following transaction covers any possible database side-effects of the
+        # attributes assignment. For example, setting the IDs of a child collection.
+        with_transaction_returning_status do
+          assign_attributes(attributes, options)
+          save
+        end
+      end
+
+      # Updates its receiver just like +update_attributes+ but calls <tt>save!</tt> instead
+      # of +save+, so an exception is raised if the record is invalid.
+      def update_attributes!(attributes, options = {})
+        # The following transaction covers any possible database side-effects of the
+        # attributes assignment. For example, setting the IDs of a child collection.
+        with_transaction_returning_status do
+          assign_attributes(attributes, options)
+          save!
+        end
+      end
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/reflection.rb

@@ -0,0 +1,9 @@
+module ActiveRecord
+  module Reflection
+    class AssociationReflection
+      def build_association(*options, &block)
+        klass.new(*options, &block)
+      end
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/relation.rb

@@ -0,0 +1,47 @@
+module ActiveRecord
+  module MassAssignmentSecurity
+    module Relation
+      # Tries to load the first record; if it fails, then <tt>create</tt> is called with the same arguments as this method.
+      #
+      # Expects arguments in the same format as +Base.create+.
+      #
+      # ==== Examples
+      #   # Find the first user named Penélope or create a new one.
+      #   User.where(:first_name => 'Penélope').first_or_create
+      #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
+      #
+      #   # Find the first user named Penélope or create a new one.
+      #   # We already have one so the existing record will be returned.
+      #   User.where(:first_name => 'Penélope').first_or_create
+      #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
+      #
+      #   # Find the first user named Scarlett or create a new one with a particular last name.
+      #   User.where(:first_name => 'Scarlett').first_or_create(:last_name => 'Johansson')
+      #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
+      #
+      #   # Find the first user named Scarlett or create a new one with a different last name.
+      #   # We already have one so the existing record will be returned.
+      #   User.where(:first_name => 'Scarlett').first_or_create do |user|
+      #     user.last_name = "O'Hara"
+      #   end
+      #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
+      def first_or_create(attributes = nil, options = {}, &block)
+        first || create(attributes, options, &block)
+      end
+
+      # Like <tt>first_or_create</tt> but calls <tt>create!</tt> so an exception is raised if the created record is invalid.
+      #
+      # Expects arguments in the same format as <tt>Base.create!</tt>.
+      def first_or_create!(attributes = nil, options = {}, &block)
+        first || create!(attributes, options, &block)
+      end
+
+      # Like <tt>first_or_create</tt> but calls <tt>new</tt> instead of <tt>create</tt>.
+      #
+      # Expects arguments in the same format as <tt>Base.new</tt>.
+      def first_or_initialize(attributes = nil, &block)
+        first || new(attributes, options, &block)
+      end
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/validations.rb

@@ -0,0 +1,24 @@
+require 'active_support/concern'
+
+module ActiveRecord
+  module MassAssignmentSecurity
+    module Validations
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Creates an object just like Base.create but calls <tt>save!</tt> instead of +save+
+        # so an exception is raised if the record is invalid.
+        def create!(attributes = nil, options = {}, &block)
+          if attributes.is_a?(Array)
+            attributes.collect { |attr| create!(attr, options, &block) }
+          else
+            object = new(attributes, options)
+            yield(object) if block_given?
+            object.save!
+            object
+          end
+        end
+      end
+    end
+  end
+end

data/lib/protected_attributes.rb

@@ -0,0 +1,14 @@
+require "active_model/mass_assignment_security"
+require "protected_attributes/railtie" if defined? Rails
+require "protected_attributes/version"
+
+ActiveSupport.on_load :active_record do
+  require "active_record/mass_assignment_security"
+end
+
+ActiveSupport.on_load :action_controller do
+  require "action_controller/accessible_params_wrapper"
+end
+
+module ProtectedAttributes
+end

data/lib/protected_attributes/railtie.rb

@@ -0,0 +1,18 @@
+require 'rails/railtie'
+
+module ProtectedAttributes
+  class Railtie < ::Rails::Railtie
+    config.before_configuration do |app|
+      config.action_controller.permit_all_parameters = true
+      config.active_record.whitelist_attributes = true if config.respond_to?(:active_record)
+    end
+
+    initializer "protected_attributes.active_record", :before => "active_record.set_configs" do |app|
+      ActiveSupport.on_load :active_record do
+        if app.config.respond_to?(:active_record) && app.config.active_record.delete(:whitelist_attributes)
+          attr_accessible(nil)
+        end
+      end
+    end
+  end
+end

data/lib/protected_attributes/version.rb

@@ -0,0 +1,3 @@
+module ProtectedAttributes
+  VERSION = "1.0.0"
+end

data/protected_attributes.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'protected_attributes/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "protected_attributes"
+  gem.version       = ProtectedAttributes::VERSION
+  gem.authors       = ["David Heinemeier Hansson"]
+  gem.email         = ["david@loudthinking.com"]
+  gem.description   = %q{Protect attributes from mass assignment in AR models}
+  gem.summary       = %q{Protect attributes from mass assignment in AR models}
+  gem.homepage      = "https://github.com/rails/protected_attributes"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency "activemodel",  ">= 4.0.0.beta", "< 5.0"
+
+  gem.add_development_dependency "activerecord", ">= 4.0.0.beta", "< 5.0"
+  gem.add_development_dependency "actionpack",   ">= 4.0.0.beta", "< 5.0"
+  gem.add_development_dependency "sqlite3"
+  gem.add_development_dependency "mocha"
+end

data/test/abstract_unit.rb

@@ -0,0 +1,156 @@
+require 'action_dispatch'
+require 'action_controller'
+require 'active_support/core_ext/class/attribute_accessors'
+require 'active_support/dependencies'
+
+module SetupOnce
+  extend ActiveSupport::Concern
+
+  included do
+    cattr_accessor :setup_once_block
+    self.setup_once_block = nil
+
+    setup :run_setup_once
+  end
+
+  module ClassMethods
+    def setup_once(&block)
+      self.setup_once_block = block
+    end
+  end
+
+  private
+    def run_setup_once
+      if self.setup_once_block
+        self.setup_once_block.call
+        self.setup_once_block = nil
+      end
+    end
+end
+
+SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
+
+module ActiveSupport
+  class TestCase
+    include SetupOnce
+    # Hold off drawing routes until all the possible controller classes
+    # have been loaded.
+    setup_once do
+      SharedTestRoutes.draw do
+        get ':controller(/:action)'
+      end
+
+      ActionDispatch::IntegrationTest.app.routes.draw do
+        get ':controller(/:action)'
+      end
+    end
+  end
+end
+
+class RoutedRackApp
+  attr_reader :routes
+
+  def initialize(routes, &blk)
+    @routes = routes
+    @stack = ActionDispatch::MiddlewareStack.new(&blk).build(@routes)
+  end
+
+  def call(env)
+    @stack.call(env)
+  end
+end
+
+class ActionDispatch::IntegrationTest < ActiveSupport::TestCase
+  setup do
+    @routes = SharedTestRoutes
+  end
+
+  def self.build_app(routes = nil)
+    RoutedRackApp.new(routes || ActionDispatch::Routing::RouteSet.new) do |middleware|
+      middleware.use "ActionDispatch::DebugExceptions"
+      middleware.use "ActionDispatch::Callbacks"
+      middleware.use "ActionDispatch::ParamsParser"
+      middleware.use "ActionDispatch::Cookies"
+      middleware.use "ActionDispatch::Flash"
+      middleware.use "Rack::Head"
+      yield(middleware) if block_given?
+    end
+  end
+
+  self.app = build_app
+
+  # Stub Rails dispatcher so it does not get controller references and
+  # simply return the controller#action as Rack::Body.
+  class StubDispatcher < ::ActionDispatch::Routing::RouteSet::Dispatcher
+    protected
+    def controller_reference(controller_param)
+      controller_param
+    end
+
+    def dispatch(controller, action, env)
+      [200, {'Content-Type' => 'text/html'}, ["#{controller}##{action}"]]
+    end
+  end
+
+  def self.stub_controllers
+    old_dispatcher = ActionDispatch::Routing::RouteSet::Dispatcher
+    ActionDispatch::Routing::RouteSet.module_eval { remove_const :Dispatcher }
+    ActionDispatch::Routing::RouteSet.module_eval { const_set :Dispatcher, StubDispatcher }
+    yield ActionDispatch::Routing::RouteSet.new
+  ensure
+    ActionDispatch::Routing::RouteSet.module_eval { remove_const :Dispatcher }
+    ActionDispatch::Routing::RouteSet.module_eval { const_set :Dispatcher, old_dispatcher }
+  end
+
+  def with_routing(&block)
+    temporary_routes = ActionDispatch::Routing::RouteSet.new
+    old_app, self.class.app = self.class.app, self.class.build_app(temporary_routes)
+    old_routes = SharedTestRoutes
+    silence_warnings { Object.const_set(:SharedTestRoutes, temporary_routes) }
+
+    yield temporary_routes
+  ensure
+    self.class.app = old_app
+    silence_warnings { Object.const_set(:SharedTestRoutes, old_routes) }
+  end
+
+  def with_autoload_path(path)
+    path = File.join(File.dirname(__FILE__), "fixtures", path)
+    if ActiveSupport::Dependencies.autoload_paths.include?(path)
+      yield
+    else
+      begin
+        ActiveSupport::Dependencies.autoload_paths << path
+        yield
+      ensure
+        ActiveSupport::Dependencies.autoload_paths.reject! {|p| p == path}
+        ActiveSupport::Dependencies.clear
+      end
+    end
+  end
+end
+
+module ActionController
+  class Base
+    include ActionController::Testing
+    # This stub emulates the Railtie including the URL helpers from a Rails application
+    include SharedTestRoutes.url_helpers
+    include SharedTestRoutes.mounted_helpers
+
+    #self.view_paths = FIXTURE_LOAD_PATH
+
+    def self.test_routes(&block)
+      routes = ActionDispatch::Routing::RouteSet.new
+      routes.draw(&block)
+      include routes.url_helpers
+    end
+  end
+
+  class TestCase
+    include ActionDispatch::TestProcess
+
+    setup do
+      @routes = SharedTestRoutes
+    end
+  end
+end

data/test/accessible_params_wrapper_test.rb

@@ -0,0 +1,76 @@
+require 'test_helper'
+require 'abstract_unit'
+require 'action_controller/accessible_params_wrapper'
+
+module ParamsWrapperTestHelp
+  def with_default_wrapper_options(&block)
+    @controller.class._set_wrapper_options({:format => [:json]})
+    @controller.class.inherited(@controller.class)
+    yield
+  end
+
+  def assert_parameters(expected)
+    assert_equal expected, self.class.controller_class.last_parameters
+  end
+end
+
+class AccessibleParamsWrapperTest < ActionController::TestCase
+  include ParamsWrapperTestHelp
+
+  class UsersController < ActionController::Base
+    class << self
+      attr_accessor :last_parameters
+    end
+
+    def parse
+      self.class.last_parameters = request.params.except(:controller, :action)
+      head :ok
+    end
+  end
+
+  class User; end
+  class Person; end
+
+  tests UsersController
+
+  def teardown
+    UsersController.last_parameters = nil
+  end
+
+  def test_derived_wrapped_keys_from_matching_model
+    User.expects(:respond_to?).with(:accessible_attributes).returns(false)
+    User.expects(:respond_to?).with(:attribute_names).returns(true)
+    User.expects(:attribute_names).twice.returns(["username"])
+
+    with_default_wrapper_options do
+      @request.env['CONTENT_TYPE'] = 'application/json'
+      post :parse, { 'username' => 'sikachu', 'title' => 'Developer' }
+      assert_parameters({ 'username' => 'sikachu', 'title' => 'Developer', 'user' => { 'username' => 'sikachu' }})
+    end
+  end
+
+  def test_derived_wrapped_keys_from_specified_model
+    with_default_wrapper_options do
+      Person.expects(:respond_to?).with(:accessible_attributes).returns(false)
+      Person.expects(:respond_to?).with(:attribute_names).returns(true)
+      Person.expects(:attribute_names).twice.returns(["username"])
+
+      UsersController.wrap_parameters Person
+
+      @request.env['CONTENT_TYPE'] = 'application/json'
+      post :parse, { 'username' => 'sikachu', 'title' => 'Developer' }
+      assert_parameters({ 'username' => 'sikachu', 'title' => 'Developer', 'person' => { 'username' => 'sikachu' }})
+    end
+  end
+
+  def test_accessible_wrapped_keys_from_matching_model
+    User.expects(:respond_to?).with(:accessible_attributes).returns(true)
+    User.expects(:accessible_attributes).with(:default).twice.returns(["username"])
+
+    with_default_wrapper_options do
+      @request.env['CONTENT_TYPE'] = 'application/json'
+      post :parse, { 'username' => 'sikachu', 'title' => 'Developer' }
+      assert_parameters({ 'username' => 'sikachu', 'title' => 'Developer', 'user' => { 'username' => 'sikachu' }})
+    end
+  end
+end