protected_attributes 1.0.3 → 1.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +63 -62
- data/lib/active_record/mass_assignment_security/core.rb +3 -14
- data/lib/protected_attributes/version.rb +1 -1
- metadata +9 -9
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 964c20fd28238f0df84ab69e92827a8db0068cfb
|
|
4
|
+
data.tar.gz: bbe6a5831c50e41147215618780498c91fa4f6bb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ea0d68ea0726d2b790cf7ac7c94abcca4c6654adabb24afc27e184827b7023019134205cef5b851d5edb85ad237568bb1811cca27f73db4947d86c253bfac777
|
|
7
|
+
data.tar.gz: 40217ce17158152775ba9373422af73d7e3747470f8b535414763814a4c967736d5c72ff7d0ecac305b1bcf38755306067b2b15dc3bab1abc16fc021cbf85d01
|
data/README.md
CHANGED
|
@@ -23,85 +23,86 @@ Or install it yourself as:
|
|
|
23
23
|
Mass assignment security provides an interface for protecting attributes from end-user assignment. This plugin provides two class methods in your Active Record class to control access to your attributes. The `attr_protected` method takes a list of attributes that will not be accessible for mass-assignment.
|
|
24
24
|
|
|
25
25
|
For example:
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
26
|
+
```ruby
|
|
27
|
+
attr_protected :admin
|
|
28
|
+
```
|
|
29
29
|
`attr_protected` also optionally takes a role option using `:as` which allows you to define multiple mass-assignment groupings. If no role is defined then attributes will be added to the `:default` role.
|
|
30
30
|
|
|
31
|
-
|
|
32
|
-
|
|
31
|
+
```ruby
|
|
32
|
+
attr_protected :last_login, :as => :admin
|
|
33
|
+
```
|
|
33
34
|
A much better way, because it follows the whitelist-principle, is the `attr_accessible` method. It is the exact opposite of `attr_protected`, because it takes a list of attributes that will be accessible. All other attributes will be protected. This way you won’t forget to protect attributes when adding new ones in the course of development. Here is an example:
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
35
|
+
```ruby
|
|
36
|
+
attr_accessible :name
|
|
37
|
+
attr_accessible :name, :is_admin, :as => :admin
|
|
38
|
+
```
|
|
38
39
|
If you want to set a protected attribute, you will to have to assign it individually:
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
40
|
+
```ruby
|
|
41
|
+
params[:user] # => {:name => "owned", :is_admin => true}
|
|
42
|
+
@user = User.new(params[:user])
|
|
43
|
+
@user.is_admin # => false, not mass-assigned
|
|
44
|
+
@user.is_admin = true
|
|
45
|
+
@user.is_admin # => true
|
|
46
|
+
```
|
|
46
47
|
When assigning attributes in Active Record using `attributes=` the `:default` role will be used. To assign attributes using different roles you should use `assign_attributes` which accepts an optional `:as` options parameter. If no `:as` option is provided then the `:default` role will be used.
|
|
47
48
|
You can also bypass mass-assignment security by using the `:without_protection` option. Here is an example:
|
|
49
|
+
```ruby
|
|
50
|
+
@user = User.new
|
|
48
51
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
@user.name # => Josh
|
|
53
|
-
@user.is_admin # => false
|
|
54
|
-
|
|
55
|
-
@user.assign_attributes({ :name => 'Josh', :is_admin => true }, :as => :admin)
|
|
56
|
-
@user.name # => Josh
|
|
57
|
-
@user.is_admin # => true
|
|
58
|
-
|
|
59
|
-
@user.assign_attributes({ :name => 'Josh', :is_admin => true }, :without_protection => true)
|
|
60
|
-
@user.name # => Josh
|
|
61
|
-
@user.is_admin # => true
|
|
62
|
-
|
|
63
|
-
In a similar way, `new`, `create`, `create!`, `update_attributes` and `update_attributes!` methods all respect mass-assignment security and accept either `:as` or `:without_protection` options. For example:
|
|
52
|
+
@user.assign_attributes({ :name => 'Josh', :is_admin => true })
|
|
53
|
+
@user.name # => Josh
|
|
54
|
+
@user.is_admin # => false
|
|
64
55
|
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
@user = User.create({ :name => 'Sebastian', :is_admin => true }, :without_protection => true)
|
|
70
|
-
@user.name # => Sebastian
|
|
71
|
-
@user.is_admin # => true
|
|
56
|
+
@user.assign_attributes({ :name => 'Josh', :is_admin => true }, :as => :admin)
|
|
57
|
+
@user.name # => Josh
|
|
58
|
+
@user.is_admin # => true
|
|
72
59
|
|
|
60
|
+
@user.assign_attributes({ :name => 'Josh', :is_admin => true }, :without_protection => true)
|
|
61
|
+
@user.name # => Josh
|
|
62
|
+
@user.is_admin # => true
|
|
63
|
+
```
|
|
64
|
+
In a similar way, `new`, `create`, `create!`, `update_attributes` and `update_attributes!` methods all respect mass-assignment security and accept either `:as` or `:without_protection` options. For example:
|
|
65
|
+
```ruby
|
|
66
|
+
@user = User.new({ :name => 'Sebastian', :is_admin => true }, :as => :admin)
|
|
67
|
+
@user.name # => Sebastian
|
|
68
|
+
@user.is_admin # => true
|
|
69
|
+
|
|
70
|
+
@user = User.create({ :name => 'Sebastian', :is_admin => true }, :without_protection => true)
|
|
71
|
+
@user.name # => Sebastian
|
|
72
|
+
@user.is_admin # => true
|
|
73
|
+
```
|
|
73
74
|
A more paranoid technique to protect your whole project would be to enforce that all models define their accessible attributes.
|
|
74
75
|
This can be easily achieved with a very simple application config option of:
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
76
|
+
```ruby
|
|
77
|
+
config.active_record.whitelist_attributes = true
|
|
78
|
+
```
|
|
78
79
|
This will create an empty whitelist of attributes available for mass-assignment for all models in your app.
|
|
79
80
|
As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an `attr_accessible` or `attr_protected` declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via `attr_accessible` or `attr_protected`), as dictated by your failing test.
|
|
80
81
|
|
|
81
82
|
For more complex permissions, mass-assignment security may be handled outside the model by extending a non-ActiveRecord class, such as a controller, with this behavior.
|
|
82
83
|
|
|
83
84
|
For example, a logged-in user may need to assign additional attributes depending on their role:
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
85
|
+
```ruby
|
|
86
|
+
class AccountsController < ApplicationController
|
|
87
|
+
include ActiveModel::MassAssignmentSecurity
|
|
88
|
+
|
|
89
|
+
attr_accessible :first_name, :last_name
|
|
90
|
+
attr_accessible :first_name, :last_name, :plan_id, :as => :admin
|
|
91
|
+
|
|
92
|
+
def update
|
|
93
|
+
...
|
|
94
|
+
@account.update_attributes(account_params)
|
|
95
|
+
...
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
protected
|
|
99
|
+
|
|
100
|
+
def account_params
|
|
101
|
+
role = admin ? :admin : :default
|
|
102
|
+
sanitize_for_mass_assignment(params[:account], role)
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
```
|
|
105
106
|
## Contributing
|
|
106
107
|
|
|
107
108
|
1. Fork it
|
|
@@ -1,22 +1,11 @@
|
|
|
1
1
|
module ActiveRecord
|
|
2
2
|
module MassAssignmentSecurity
|
|
3
3
|
module Core
|
|
4
|
-
def initialize(attributes = nil, options = {})
|
|
5
|
-
defaults = self.class.column_defaults.dup
|
|
6
|
-
defaults.each { |k, v| defaults[k] = v.dup if v.duplicable? }
|
|
7
4
|
|
|
8
|
-
|
|
9
|
-
@columns_hash = self.class.column_types.dup
|
|
5
|
+
private
|
|
10
6
|
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
ensure_proper_type
|
|
14
|
-
populate_with_current_scope_attributes
|
|
15
|
-
|
|
16
|
-
assign_attributes(attributes, options) if attributes
|
|
17
|
-
|
|
18
|
-
yield self if block_given?
|
|
19
|
-
run_callbacks :initialize unless _initialize_callbacks.empty?
|
|
7
|
+
def init_attributes(attributes, options)
|
|
8
|
+
assign_attributes(attributes, options)
|
|
20
9
|
end
|
|
21
10
|
|
|
22
11
|
def init_internals
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: protected_attributes
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Heinemeier Hansson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2013-
|
|
11
|
+
date: 2013-10-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activemodel
|
|
@@ -16,7 +16,7 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '>='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 4.0.
|
|
19
|
+
version: 4.0.1.rc1
|
|
20
20
|
- - <
|
|
21
21
|
- !ruby/object:Gem::Version
|
|
22
22
|
version: '5.0'
|
|
@@ -26,7 +26,7 @@ dependencies:
|
|
|
26
26
|
requirements:
|
|
27
27
|
- - '>='
|
|
28
28
|
- !ruby/object:Gem::Version
|
|
29
|
-
version: 4.0.
|
|
29
|
+
version: 4.0.1.rc1
|
|
30
30
|
- - <
|
|
31
31
|
- !ruby/object:Gem::Version
|
|
32
32
|
version: '5.0'
|
|
@@ -36,7 +36,7 @@ dependencies:
|
|
|
36
36
|
requirements:
|
|
37
37
|
- - '>='
|
|
38
38
|
- !ruby/object:Gem::Version
|
|
39
|
-
version: 4.0.
|
|
39
|
+
version: 4.0.1.rc1
|
|
40
40
|
- - <
|
|
41
41
|
- !ruby/object:Gem::Version
|
|
42
42
|
version: '5.0'
|
|
@@ -46,7 +46,7 @@ dependencies:
|
|
|
46
46
|
requirements:
|
|
47
47
|
- - '>='
|
|
48
48
|
- !ruby/object:Gem::Version
|
|
49
|
-
version: 4.0.
|
|
49
|
+
version: 4.0.1.rc1
|
|
50
50
|
- - <
|
|
51
51
|
- !ruby/object:Gem::Version
|
|
52
52
|
version: '5.0'
|
|
@@ -56,7 +56,7 @@ dependencies:
|
|
|
56
56
|
requirements:
|
|
57
57
|
- - '>='
|
|
58
58
|
- !ruby/object:Gem::Version
|
|
59
|
-
version: 4.0.
|
|
59
|
+
version: 4.0.1.rc1
|
|
60
60
|
- - <
|
|
61
61
|
- !ruby/object:Gem::Version
|
|
62
62
|
version: '5.0'
|
|
@@ -66,7 +66,7 @@ dependencies:
|
|
|
66
66
|
requirements:
|
|
67
67
|
- - '>='
|
|
68
68
|
- !ruby/object:Gem::Version
|
|
69
|
-
version: 4.0.
|
|
69
|
+
version: 4.0.1.rc1
|
|
70
70
|
- - <
|
|
71
71
|
- !ruby/object:Gem::Version
|
|
72
72
|
version: '5.0'
|
|
@@ -160,7 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
160
160
|
version: '0'
|
|
161
161
|
requirements: []
|
|
162
162
|
rubyforge_project:
|
|
163
|
-
rubygems_version: 2.0.
|
|
163
|
+
rubygems_version: 2.0.6
|
|
164
164
|
signing_key:
|
|
165
165
|
specification_version: 4
|
|
166
166
|
summary: Protect attributes from mass assignment in Active Record models
|