protected_attributes 1.0.9 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 07a8c210afe27e08b760e2f61b86a60c6980ec1a
-  data.tar.gz: cb8ef9666fc6b0a73161f1d06a0cfd097edfc7cd
+  metadata.gz: 395ab272536df136e316a89087b094b773f6be7b
+  data.tar.gz: 279387fed8cec2a444b8a279c64d78aa6c3d876e
 SHA512:
-  metadata.gz: c6c29a159034c283fd0e77c2b5ddf1469655bce17916e801668d01e8e104c6e4142621c01c75966f0333413c0d7e7179b8c22aa4bf8a03966f0a71334850316b
-  data.tar.gz: d9e314e1e6b925ba6a34fb68b813999c1ffa00d29e4b32ca59eb8f523e35102d5c3098606410ae5cd702756737a1f0bacfa3d3e6b2d6ac01c1388c1bd42df771
+  metadata.gz: a034a1aae746c4d3c942e96d8201010fc5654ae4487547b64a67fee0f2e907321978d6af68050b34fc033e01598d2e579b661e03ae4f5d19d20253f7d3316db8
+  data.tar.gz: d114248044437b7da5d9760d07468b9d4670aeaff2654c0042d3f76e1c16fa1305016d8d5680402351a72dd17b6e067ede82e3696614f22021d54fcc532d792f

data/README.md

@@ -75,13 +75,13 @@ In a similar way, `new`, `create`, `create!`, `update_attributes` and `update_at
 @user.name # => Sebastian
 @user.is_admin # => true
 ```
-A more paranoid technique to protect your whole project would be to enforce that all models define their accessible attributes. 
-This can be easily achieved with a very simple application config option of:
+By default the gem will create an empty whitelist of attributes available for mass-assignment for all models in your app.
+As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an `attr_accessible` or `attr_protected` declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via `attr_accessible` or `attr_protected`), as dictated by your failing test.
+
+This option can be turned off using a configuration option:
 ```ruby
-config.active_record.whitelist_attributes = true
+config.active_record.whitelist_attributes = false
 ```
-This will create an empty whitelist of attributes available for mass-assignment for all models in your app. 
-As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an `attr_accessible` or `attr_protected` declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via `attr_accessible` or `attr_protected`), as dictated by your failing test.
 
 For more complex permissions, mass-assignment security may be handled outside the model by extending a non-ActiveRecord class, such as a controller, with this behavior.
 

data/lib/active_model/mass_assignment_security.rb

@@ -50,11 +50,14 @@ module ActiveModel
   # example implementation.
   module MassAssignmentSecurity
     extend ActiveSupport::Concern
+    include ActiveModel::ForbiddenAttributesProtection
 
     included do
       class_attribute :_accessible_attributes, instance_writer: false
       class_attribute :_protected_attributes,  instance_writer: false
       class_attribute :_active_authorizer,     instance_writer: false
+      class_attribute :_uses_mass_assignment_security, instance_writer: false
+      self._uses_mass_assignment_security = false
 
       class_attribute :_mass_assignment_sanitizer, instance_writer: false
       self.mass_assignment_sanitizer = :logger
@@ -123,6 +126,7 @@ module ActiveModel
           self._protected_attributes[name] = self.protected_attributes(name) + args
         end
 
+        self._uses_mass_assignment_security = true
         self._active_authorizer = self._protected_attributes
       end
 
@@ -189,6 +193,7 @@ module ActiveModel
           self._accessible_attributes[name] = self.accessible_attributes(name) + args
         end
 
+        self._uses_mass_assignment_security = true
         self._active_authorizer = self._accessible_attributes
       end
 
@@ -343,6 +348,10 @@ module ActiveModel
   protected
 
     def sanitize_for_mass_assignment(attributes, role = nil) #:nodoc:
+      unless _uses_mass_assignment_security
+        sanitize_forbidden_attributes(attributes)
+      end
+
       _mass_assignment_sanitizer.sanitize(self.class, attributes, mass_assignment_authorizer(role))
     end
 

data/lib/protected_attributes/version.rb

@@ -1,3 +1,3 @@
 module ProtectedAttributes
-  VERSION = "1.0.9"
+  VERSION = "1.1.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: protected_attributes
 version: !ruby/object:Gem::Version
-  version: 1.0.9
+  version: 1.1.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-03-16 00:00:00.000000000 Z
+date: 2015-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -144,29 +144,6 @@ files:
 - lib/protected_attributes.rb
 - lib/protected_attributes/railtie.rb
 - lib/protected_attributes/version.rb
-- test/abstract_unit.rb
-- test/accessible_params_wrapper_test.rb
-- test/ar_helper.rb
-- test/attribute_sanitization_test.rb
-- test/mass_assignment_security/black_list_test.rb
-- test/mass_assignment_security/permission_set_test.rb
-- test/mass_assignment_security/sanitizer_test.rb
-- test/mass_assignment_security/white_list_test.rb
-- test/mass_assignment_security_test.rb
-- test/models/battle.rb
-- test/models/company.rb
-- test/models/group.rb
-- test/models/keyboard.rb
-- test/models/mass_assignment_specific.rb
-- test/models/membership.rb
-- test/models/person.rb
-- test/models/pirate.rb
-- test/models/subscriber.rb
-- test/models/task.rb
-- test/models/team.rb
-- test/models/vampire.rb
-- test/models/wolf.rb
-- test/test_helper.rb
 homepage: https://github.com/rails/protected_attributes
 licenses:
 - MIT
@@ -191,27 +168,4 @@ rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Protect attributes from mass assignment in Active Record models
-test_files:
-- test/abstract_unit.rb
-- test/accessible_params_wrapper_test.rb
-- test/ar_helper.rb
-- test/attribute_sanitization_test.rb
-- test/mass_assignment_security/black_list_test.rb
-- test/mass_assignment_security/permission_set_test.rb
-- test/mass_assignment_security/sanitizer_test.rb
-- test/mass_assignment_security/white_list_test.rb
-- test/mass_assignment_security_test.rb
-- test/models/battle.rb
-- test/models/company.rb
-- test/models/group.rb
-- test/models/keyboard.rb
-- test/models/mass_assignment_specific.rb
-- test/models/membership.rb
-- test/models/person.rb
-- test/models/pirate.rb
-- test/models/subscriber.rb
-- test/models/task.rb
-- test/models/team.rb
-- test/models/vampire.rb
-- test/models/wolf.rb
-- test/test_helper.rb
+test_files: []

data/test/abstract_unit.rb

@@ -1,165 +0,0 @@
-require 'action_dispatch'
-require 'action_controller'
-require 'active_support/dependencies'
-
-def active_support_4_0?
-  ActiveSupport::VERSION::MAJOR == 4 && ActiveSupport::VERSION::MINOR == 0
-end
-
-if active_support_4_0?
-  require 'active_support/core_ext/class/attribute_accessors'
-else
-  require 'active_support/core_ext/module/attribute_accessors'
-end
-
-module SetupOnce
-  extend ActiveSupport::Concern
-
-  included do
-    cattr_accessor :setup_once_block
-    self.setup_once_block = nil
-
-    setup :run_setup_once
-  end
-
-  module ClassMethods
-    def setup_once(&block)
-      self.setup_once_block = block
-    end
-  end
-
-  private
-    def run_setup_once
-      if self.setup_once_block
-        self.setup_once_block.call
-        self.setup_once_block = nil
-      end
-    end
-end
-
-SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
-
-module ActiveSupport
-  class TestCase
-    include SetupOnce
-    # Hold off drawing routes until all the possible controller classes
-    # have been loaded.
-    setup_once do
-      SharedTestRoutes.draw do
-        get ':controller(/:action)'
-      end
-
-      ActionDispatch::IntegrationTest.app.routes.draw do
-        get ':controller(/:action)'
-      end
-    end
-  end
-end
-
-class RoutedRackApp
-  attr_reader :routes
-
-  def initialize(routes, &blk)
-    @routes = routes
-    @stack = ActionDispatch::MiddlewareStack.new(&blk).build(@routes)
-  end
-
-  def call(env)
-    @stack.call(env)
-  end
-end
-
-class ActionDispatch::IntegrationTest < ActiveSupport::TestCase
-  setup do
-    @routes = SharedTestRoutes
-  end
-
-  def self.build_app(routes = nil)
-    RoutedRackApp.new(routes || ActionDispatch::Routing::RouteSet.new) do |middleware|
-      middleware.use "ActionDispatch::DebugExceptions"
-      middleware.use "ActionDispatch::Callbacks"
-      middleware.use "ActionDispatch::ParamsParser"
-      middleware.use "ActionDispatch::Cookies"
-      middleware.use "ActionDispatch::Flash"
-      middleware.use "Rack::Head"
-      yield(middleware) if block_given?
-    end
-  end
-
-  self.app = build_app
-
-  # Stub Rails dispatcher so it does not get controller references and
-  # simply return the controller#action as Rack::Body.
-  class StubDispatcher < ::ActionDispatch::Routing::RouteSet::Dispatcher
-    protected
-    def controller_reference(controller_param)
-      controller_param
-    end
-
-    def dispatch(controller, action, env)
-      [200, {'Content-Type' => 'text/html'}, ["#{controller}##{action}"]]
-    end
-  end
-
-  def self.stub_controllers
-    old_dispatcher = ActionDispatch::Routing::RouteSet::Dispatcher
-    ActionDispatch::Routing::RouteSet.module_eval { remove_const :Dispatcher }
-    ActionDispatch::Routing::RouteSet.module_eval { const_set :Dispatcher, StubDispatcher }
-    yield ActionDispatch::Routing::RouteSet.new
-  ensure
-    ActionDispatch::Routing::RouteSet.module_eval { remove_const :Dispatcher }
-    ActionDispatch::Routing::RouteSet.module_eval { const_set :Dispatcher, old_dispatcher }
-  end
-
-  def with_routing(&block)
-    temporary_routes = ActionDispatch::Routing::RouteSet.new
-    old_app, self.class.app = self.class.app, self.class.build_app(temporary_routes)
-    old_routes = SharedTestRoutes
-    silence_warnings { Object.const_set(:SharedTestRoutes, temporary_routes) }
-
-    yield temporary_routes
-  ensure
-    self.class.app = old_app
-    silence_warnings { Object.const_set(:SharedTestRoutes, old_routes) }
-  end
-
-  def with_autoload_path(path)
-    path = File.join(File.dirname(__FILE__), "fixtures", path)
-    if ActiveSupport::Dependencies.autoload_paths.include?(path)
-      yield
-    else
-      begin
-        ActiveSupport::Dependencies.autoload_paths << path
-        yield
-      ensure
-        ActiveSupport::Dependencies.autoload_paths.reject! {|p| p == path}
-        ActiveSupport::Dependencies.clear
-      end
-    end
-  end
-end
-
-module ActionController
-  class Base
-    include ActionController::Testing
-    # This stub emulates the Railtie including the URL helpers from a Rails application
-    include SharedTestRoutes.url_helpers
-    include SharedTestRoutes.mounted_helpers
-
-    #self.view_paths = FIXTURE_LOAD_PATH
-
-    def self.test_routes(&block)
-      routes = ActionDispatch::Routing::RouteSet.new
-      routes.draw(&block)
-      include routes.url_helpers
-    end
-  end
-
-  class TestCase
-    include ActionDispatch::TestProcess
-
-    setup do
-      @routes = SharedTestRoutes
-    end
-  end
-end

data/test/accessible_params_wrapper_test.rb

@@ -1,76 +0,0 @@
-require 'test_helper'
-require 'abstract_unit'
-require 'action_controller/accessible_params_wrapper'
-
-module ParamsWrapperTestHelp
-  def with_default_wrapper_options(&block)
-    @controller.class._set_wrapper_options({:format => [:json]})
-    @controller.class.inherited(@controller.class)
-    yield
-  end
-
-  def assert_parameters(expected)
-    assert_equal expected, self.class.controller_class.last_parameters
-  end
-end
-
-class AccessibleParamsWrapperTest < ActionController::TestCase
-  include ParamsWrapperTestHelp
-
-  class UsersController < ActionController::Base
-    class << self
-      attr_accessor :last_parameters
-    end
-
-    def parse
-      self.class.last_parameters = request.params.except(:controller, :action)
-      head :ok
-    end
-  end
-
-  class User; end
-  class Person; end
-
-  tests UsersController
-
-  def teardown
-    UsersController.last_parameters = nil
-  end
-
-  def test_derived_wrapped_keys_from_matching_model
-    User.expects(:respond_to?).with(:accessible_attributes).returns(false)
-    User.expects(:respond_to?).with(:attribute_names).returns(true)
-    User.expects(:attribute_names).twice.returns(["username"])
-
-    with_default_wrapper_options do
-      @request.env['CONTENT_TYPE'] = 'application/json'
-      post :parse, { 'username' => 'sikachu', 'title' => 'Developer' }
-      assert_parameters({ 'username' => 'sikachu', 'title' => 'Developer', 'user' => { 'username' => 'sikachu' }})
-    end
-  end
-
-  def test_derived_wrapped_keys_from_specified_model
-    with_default_wrapper_options do
-      Person.expects(:respond_to?).with(:accessible_attributes).returns(false)
-      Person.expects(:respond_to?).with(:attribute_names).returns(true)
-      Person.expects(:attribute_names).twice.returns(["username"])
-
-      UsersController.wrap_parameters Person
-
-      @request.env['CONTENT_TYPE'] = 'application/json'
-      post :parse, { 'username' => 'sikachu', 'title' => 'Developer' }
-      assert_parameters({ 'username' => 'sikachu', 'title' => 'Developer', 'person' => { 'username' => 'sikachu' }})
-    end
-  end
-
-  def test_accessible_wrapped_keys_from_matching_model
-    User.expects(:respond_to?).with(:accessible_attributes).returns(true)
-    User.expects(:accessible_attributes).with(:default).twice.returns(["username"])
-
-    with_default_wrapper_options do
-      @request.env['CONTENT_TYPE'] = 'application/json'
-      post :parse, { 'username' => 'sikachu', 'title' => 'Developer' }
-      assert_parameters({ 'username' => 'sikachu', 'title' => 'Developer', 'user' => { 'username' => 'sikachu' }})
-    end
-  end
-end

data/test/ar_helper.rb

@@ -1,74 +0,0 @@
-require 'active_record'
-
-ActiveRecord::Base.establish_connection(adapter: 'sqlite3', database: ':memory:')
-
-ActiveRecord::Schema.verbose = false
-ActiveRecord::Schema.define do
-  create_table :accounts, :force => true do |t|
-    t.integer :firm_id
-    t.string  :firm_name
-    t.integer :credit_limit
-  end
-
-  create_table :companies, :force => true do |t|
-    t.string  :type
-    t.integer :firm_id
-    t.string  :firm_name
-    t.string  :name
-    t.integer :client_of
-    t.integer :rating, :default => 1
-    t.integer :account_id
-    t.string :description, :default => ""
-  end
-
-  add_index :companies, [:firm_id, :type, :rating], :name => "company_index"
-  add_index :companies, [:firm_id, :type], :name => "company_partial_index", :where => "rating > 10"
-
-  create_table :keyboards, :force => true, :id  => false do |t|
-    t.primary_key :key_number
-    t.string      :name
-  end
-
-  create_table :people, :force => true do |t|
-    t.string     :first_name, :null => false
-    t.string     :gender, :limit => 1
-    t.string     :comments
-    t.references :best_friend
-    t.references :best_friend_of
-    t.timestamps
-  end
-
-  create_table :subscribers, :force => true, :id => false do |t|
-    t.string :nick, :null => false
-    t.string :name
-  end
-  add_index :subscribers, :nick, :unique => true
-
-  create_table :tasks, :force => true do |t|
-    t.datetime :starting
-    t.datetime :ending
-  end
-
-  create_table :pirates, :force => true do |t|
-    t.string :name
-  end
-
-  create_table :groups, :force => true do |t|
-  end
-
-  create_table :memberships, :force => true do |t|
-    t.integer  "group_id"
-    t.integer  "pirate_id"
-  end
-
-  create_table :teams, :force => true
-  create_table :wolves, :force => true
-  create_table :vampires, :force => true
-  create_table :battles, :force => true do |t|
-    t.integer "team_id"
-    t.integer "battle_id"
-    t.string  "battle_type"
-  end
-end
-
-QUOTED_TYPE = ActiveRecord::Base.connection.quote_column_name('type')