protected_attributes 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 395ab272536df136e316a89087b094b773f6be7b
-  data.tar.gz: 279387fed8cec2a444b8a279c64d78aa6c3d876e
+  metadata.gz: aac372473a095a28495278d6c7d42f0322bc8dc4
+  data.tar.gz: 64888dd76e4cb9a56254e5a4efefe967524f0017
 SHA512:
-  metadata.gz: a034a1aae746c4d3c942e96d8201010fc5654ae4487547b64a67fee0f2e907321978d6af68050b34fc033e01598d2e579b661e03ae4f5d19d20253f7d3316db8
-  data.tar.gz: d114248044437b7da5d9760d07468b9d4670aeaff2654c0042d3f76e1c16fa1305016d8d5680402351a72dd17b6e067ede82e3696614f22021d54fcc532d792f
+  metadata.gz: f7f64b3eba28e34e6e2dd95c54e2988070268257688b628107f2fea3a096aa35c1e6d9333d1f1334aba703d2afd625ca48abad43fddd64362c487d5e636b6207
+  data.tar.gz: b04a19963ae3b9715dcc16dbcab2202dc7a80ee520b3adc2f9f48a9e34848910ec02cccbda9174b811216370e414696e81716586b841fb4a1e4b98dec3f96046

data/README.md

@@ -1,30 +1,26 @@
-# ProtectedAttributes
+# Protected Attributes
 
 [![Build Status](https://api.travis-ci.org/rails/protected_attributes.svg?branch=master)](https://travis-ci.org/rails/protected_attributes)
 
-Protect attributes from mass-assignment in ActiveRecord models.
+Protect attributes from mass-assignment in Active Record models.
 
-This plugin adds `attr_accessible` and `attr_protected` in your models.
+This plugin adds the class methods `attr_accessible` and `attr_protected` to your models to be able to declare white or black lists of attributes.
 
-Note: This plugin will be officially supported until the release of Rails 5.0
+Note: This plugin will be officially supported until the release of Rails 5.0.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add this line to your application's `Gemfile`:
 
     gem 'protected_attributes'
 
 And then execute:
 
-    $ bundle
-
-Or install it yourself as:
-
-    $ gem install protected_attributes
+    bundle install
 
 ## Usage
 
-Mass assignment security provides an interface for protecting attributes from end-user assignment. This plugin provides two class methods in your Active Record class to control access to your attributes. The `attr_protected` method takes a list of attributes that will not be accessible for mass-assignment. 
+Mass assignment security provides an interface for protecting attributes from end-user injection. This plugin provides two class methods in Active Record classes to control access to their attributes. The `attr_protected` method takes a list of attributes that will be ignored in mass-assignment. 
 
 For example:
 ```ruby
@@ -35,12 +31,15 @@ attr_protected :admin
 ```ruby
 attr_protected :last_login, :as => :admin
 ```
-A much better way, because it follows the whitelist-principle, is the `attr_accessible` method. It is the exact opposite of `attr_protected`, because it takes a list of attributes that will be accessible. All other attributes will be protected. This way you won’t forget to protect attributes when adding new ones in the course of development. Here is an example:
+A much better way, because it follows the whitelist-principle, is the `attr_accessible` method. It is the exact opposite of `attr_protected`, because it takes a list of attributes that will be mass-assigned if present. Any other attributes will be ignored. This way you won’t forget to protect attributes when adding new ones in the course of development. Here is an example:
+
 ```ruby
 attr_accessible :name
 attr_accessible :name, :is_admin, :as => :admin
 ```
+
 If you want to set a protected attribute, you will to have to assign it individually:
+
 ```ruby
 params[:user] # => {:name => "owned", :is_admin => true}
 @user = User.new(params[:user])
@@ -48,12 +47,15 @@ params[:user] # => {:name => "owned", :is_admin => true}
 @user.is_admin = true
 @user.is_admin # => true
 ```
+
 When assigning attributes in Active Record using `attributes=` the `:default` role will be used. To assign attributes using different roles you should use `assign_attributes` which accepts an optional `:as` options parameter. If no `:as` option is provided then the `:default` role will be used. 
+
 You can also bypass mass-assignment security by using the `:without_protection` option. Here is an example:
+
 ```ruby
 @user = User.new
 
-@user.assign_attributes({ :name => 'Josh', :is_admin => true })
+@user.assign_attributes(:name => 'Josh', :is_admin => true)
 @user.name # => Josh
 @user.is_admin # => false
 
@@ -65,7 +67,9 @@ You can also bypass mass-assignment security by using the `:without_protection`
 @user.name # => Josh
 @user.is_admin # => true
 ```
+
 In a similar way, `new`, `create`, `create!`, `update_attributes` and `update_attributes!` methods all respect mass-assignment security and accept either `:as` or `:without_protection` options. For example:
+
 ```ruby
 @user = User.new({ :name => 'Sebastian', :is_admin => true }, :as => :admin)
 @user.name # => Sebastian
@@ -75,17 +79,21 @@ In a similar way, `new`, `create`, `create!`, `update_attributes` and `update_at
 @user.name # => Sebastian
 @user.is_admin # => true
 ```
+
 By default the gem will create an empty whitelist of attributes available for mass-assignment for all models in your app.
+
 As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an `attr_accessible` or `attr_protected` declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via `attr_accessible` or `attr_protected`), as dictated by your failing test.
 
 This option can be turned off using a configuration option:
+
 ```ruby
 config.active_record.whitelist_attributes = false
 ```
 
-For more complex permissions, mass-assignment security may be handled outside the model by extending a non-ActiveRecord class, such as a controller, with this behavior.
+For more complex permissions, mass-assignment security may be handled outside the model by extending a non-Active Record class, such as a controller, with this behavior.
 
 For example, a logged-in user may need to assign additional attributes depending on their role:
+
 ```ruby
 class AccountsController < ApplicationController
   include ActiveModel::MassAssignmentSecurity
@@ -110,14 +118,13 @@ end
 
 ### Errors
 
-By default, errors will not be raised if the user passes attributes in the params hash which are not allowed to be updated.
-If you want the functionality where exceptions (`ActiveModel::MassAssignmentSecurity::Error`) are raised.  Add to your config
-the strict flag:
+By default, attributes in the params hash which are not allowed to be updated are just ignored. If you prefer an exception to be raised configure:
 
 ```ruby
 config.active_record.mass_assignment_sanitizer = :strict
 ```
 
+Any protected attributes violation raises `ActiveModel::MassAssignmentSecurity::Error` then.
 
 ## Contributing
 

data/lib/action_controller/accessible_params_wrapper.rb

@@ -5,6 +5,8 @@ require 'action_controller/metal/params_wrapper'
 module ActionController
   module ParamsWrapper
     class Options # :nodoc:
+      undef :include
+
       def include
         return super if @include_set
 

data/lib/active_model/mass_assignment_security.rb

@@ -348,11 +348,11 @@ module ActiveModel
   protected
 
     def sanitize_for_mass_assignment(attributes, role = nil) #:nodoc:
-      unless _uses_mass_assignment_security
+      if _uses_mass_assignment_security
+        _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
+      else
         sanitize_forbidden_attributes(attributes)
       end
-
-      _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
     end
 
     def mass_assignment_authorizer(role) #:nodoc:

data/lib/active_record/mass_assignment_security.rb

@@ -19,7 +19,6 @@ class ActiveRecord::Base
   include ActiveRecord::MassAssignmentSecurity::Core
   include ActiveRecord::MassAssignmentSecurity::AttributeAssignment
   include ActiveRecord::MassAssignmentSecurity::Persistence
-  include ActiveRecord::MassAssignmentSecurity::Relation
   include ActiveRecord::MassAssignmentSecurity::Validations
   include ActiveRecord::MassAssignmentSecurity::NestedAttributes
   include ActiveRecord::MassAssignmentSecurity::Inheritance

data/lib/active_record/mass_assignment_security/associations.rb

@@ -1,6 +1,8 @@
 module ActiveRecord
   module Associations
     class Association
+      undef :build_record
+
       def build_record(attributes, options)
         reflection.build_association(attributes, options) do |record|
           attributes = create_scope.except(*(record.changed - [reflection.foreign_key]))
@@ -12,6 +14,10 @@ module ActiveRecord
     end
 
     class CollectionAssociation
+      undef :build
+      undef :create
+      undef :create!
+
       def build(attributes = {}, options = {}, &block)
         if attributes.is_a?(Array)
           attributes.collect { |attr| build(attr, options, &block) }
@@ -51,6 +57,9 @@ module ActiveRecord
     end
 
     class CollectionProxy
+      undef :create
+      undef :create!
+
       def build(attributes = {}, options = {}, &block)
         @association.build(attributes, options, &block)
       end
@@ -66,6 +75,7 @@ module ActiveRecord
     end
 
     module ThroughAssociation
+      undef :build_record if respond_to?(:build_record, false)
 
       private
 
@@ -82,6 +92,9 @@ module ActiveRecord
     end
 
     class HasManyThroughAssociation
+      undef :build_record
+      undef :options_for_through_record
+
       def build_record(attributes, options = {})
         ensure_not_nested
 
@@ -107,6 +120,10 @@ module ActiveRecord
     end
 
     class SingularAssociation
+      undef :create
+      undef :create!
+      undef :build
+
       def create(attributes = {}, options = {}, &block)
         create_record(attributes, options, &block)
       end

data/lib/active_record/mass_assignment_security/reflection.rb

@@ -2,12 +2,16 @@ module ActiveRecord
   module Reflection
     if defined?(AbstractReflection)
       class AbstractReflection
+        undef :build_association
+
         def build_association(*options, &block)
           klass.new(*options, &block)
         end
       end
     else
       class AssociationReflection
+        undef :build_association
+
         def build_association(*options, &block)
           klass.new(*options, &block)
         end

data/lib/active_record/mass_assignment_security/relation.rb

@@ -1,46 +1,75 @@
 module ActiveRecord
-  module MassAssignmentSecurity
-    module Relation
-      # Tries to load the first record; if it fails, then <tt>create</tt> is called with the same arguments as this method.
-      #
-      # Expects arguments in the same format as +Base.create+.
-      #
-      # ==== Examples
-      #   # Find the first user named Penélope or create a new one.
-      #   User.where(:first_name => 'Penélope').first_or_create
-      #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
-      #
-      #   # Find the first user named Penélope or create a new one.
-      #   # We already have one so the existing record will be returned.
-      #   User.where(:first_name => 'Penélope').first_or_create
-      #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
-      #
-      #   # Find the first user named Scarlett or create a new one with a particular last name.
-      #   User.where(:first_name => 'Scarlett').first_or_create(:last_name => 'Johansson')
-      #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
-      #
-      #   # Find the first user named Scarlett or create a new one with a different last name.
-      #   # We already have one so the existing record will be returned.
-      #   User.where(:first_name => 'Scarlett').first_or_create do |user|
-      #     user.last_name = "O'Hara"
-      #   end
-      #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
-      def first_or_create(attributes = nil, options = {}, &block)
-        first || create(attributes, options, &block)
-      end
+  class Relation
+    undef :first_or_create
+    undef :first_or_create!
+    undef :first_or_initialize
+    undef :find_or_initialize_by
+    undef :find_or_create_by
+    undef :find_or_create_by!
 
-      # Like <tt>first_or_create</tt> but calls <tt>create!</tt> so an exception is raised if the created record is invalid.
-      #
-      # Expects arguments in the same format as <tt>Base.create!</tt>.
-      def first_or_create!(attributes = nil, options = {}, &block)
-        first || create!(attributes, options, &block)
-      end
+    # Tries to load the first record; if it fails, then <tt>create</tt> is called with the same arguments as this method.
+    #
+    # Expects arguments in the same format as +Base.create+.
+    #
+    # ==== Examples
+    #   # Find the first user named Penélope or create a new one.
+    #   User.where(:first_name => 'Penélope').first_or_create
+    #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
+    #
+    #   # Find the first user named Penélope or create a new one.
+    #   # We already have one so the existing record will be returned.
+    #   User.where(:first_name => 'Penélope').first_or_create
+    #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
+    #
+    #   # Find the first user named Scarlett or create a new one with a particular last name.
+    #   User.where(:first_name => 'Scarlett').first_or_create(:last_name => 'Johansson')
+    #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
+    #
+    #   # Find the first user named Scarlett or create a new one with a different last name.
+    #   # We already have one so the existing record will be returned.
+    #   User.where(:first_name => 'Scarlett').first_or_create do |user|
+    #     user.last_name = "O'Hara"
+    #   end
+    #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
+    def first_or_create(attributes = nil, options = {}, &block)
+      first || create(attributes, options, &block)
+    end
+
+    # Like <tt>first_or_create</tt> but calls <tt>create!</tt> so an exception is raised if the created record is invalid.
+    #
+    # Expects arguments in the same format as <tt>Base.create!</tt>.
+    def first_or_create!(attributes = nil, options = {}, &block)
+      first || create!(attributes, options, &block)
+    end
+
+    # Like <tt>first_or_create</tt> but calls <tt>new</tt> instead of <tt>create</tt>.
+    #
+    # Expects arguments in the same format as <tt>Base.new</tt>.
+    def first_or_initialize(attributes = nil, options = {}, &block)
+      first || new(attributes, options, &block)
+    end
+
+    def find_or_initialize_by(attributes, options = {}, &block)
+      find_by(attributes) || new(attributes, options, &block)
+    end
+
+    def find_or_create_by(attributes, options = {}, &block)
+      find_by(attributes) || create(attributes, options, &block)
+    end
+
+    def find_or_create_by!(attributes, options = {}, &block)
+      find_by(attributes) || create!(attributes, options, &block)
+    end
+  end
+
+  module QueryMethods
+    protected
 
-      # Like <tt>first_or_create</tt> but calls <tt>new</tt> instead of <tt>create</tt>.
-      #
-      # Expects arguments in the same format as <tt>Base.new</tt>.
-      def first_or_initialize(attributes = nil, &block)
-        first || new(attributes, options, &block)
+    def sanitize_forbidden_attributes(attributes) #:nodoc:
+      if !model._uses_mass_assignment_security
+        sanitize_for_mass_assignment(attributes)
+      else
+        attributes
       end
     end
   end

data/lib/protected_attributes.rb

@@ -1,5 +1,4 @@
 require "active_model/mass_assignment_security"
-require "protected_attributes/railtie" if defined? Rails::Railtie
 require "protected_attributes/version"
 
 ActiveSupport.on_load :active_record do

data/lib/protected_attributes/version.rb

@@ -1,3 +1,3 @@
 module ProtectedAttributes
-  VERSION = "1.1.0"
+  VERSION = "1.1.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: protected_attributes
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-22 00:00:00.000000000 Z
+date: 2015-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -142,7 +142,6 @@ files:
 - lib/active_record/mass_assignment_security/relation.rb
 - lib/active_record/mass_assignment_security/validations.rb
 - lib/protected_attributes.rb
-- lib/protected_attributes/railtie.rb
 - lib/protected_attributes/version.rb
 homepage: https://github.com/rails/protected_attributes
 licenses:
@@ -164,7 +163,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.7
 signing_key: 
 specification_version: 4
 summary: Protect attributes from mass assignment in Active Record models

data/lib/protected_attributes/railtie.rb

@@ -1,16 +0,0 @@
-module ProtectedAttributes
-  class Railtie < ::Rails::Railtie
-    config.before_configuration do |app|
-      config.action_controller.permit_all_parameters = true
-      config.active_record.whitelist_attributes = true if config.respond_to?(:active_record)
-    end
-
-    initializer "protected_attributes.active_record", :before => "active_record.set_configs" do |app|
-      ActiveSupport.on_load :active_record do
-        if app.config.respond_to?(:active_record) && app.config.active_record.delete(:whitelist_attributes)
-          attr_accessible(nil)
-        end
-      end
-    end
-  end
-end