protected_attributes_continued 1.2.0

data/lib/active_record/mass_assignment_security/persistence.rb

@@ -0,0 +1,83 @@
+require 'active_support/concern'
+
+module ActiveRecord
+  module MassAssignmentSecurity
+    # = Active Record Persistence
+    module Persistence
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Creates an object (or multiple objects) and saves it to the database, if validations pass.
+        # The resulting object is returned whether the object was saved successfully to the database or not.
+        #
+        # The +attributes+ parameter can be either a Hash or an Array of Hashes. These Hashes describe the
+        # attributes on the objects that are to be created.
+        #
+        # +create+ respects mass-assignment security and accepts either +:as+ or +:without_protection+ options
+        # in the +options+ parameter.
+        #
+        # ==== Examples
+        #   # Create a single new object
+        #   User.create(:first_name => 'Jamie')
+        #
+        #   # Create a single new object using the :admin mass-assignment security role
+        #   User.create({ :first_name => 'Jamie', :is_admin => true }, :as => :admin)
+        #
+        #   # Create a single new object bypassing mass-assignment security
+        #   User.create({ :first_name => 'Jamie', :is_admin => true }, :without_protection => true)
+        #
+        #   # Create an Array of new objects
+        #   User.create([{ :first_name => 'Jamie' }, { :first_name => 'Jeremy' }])
+        #
+        #   # Create a single object and pass it into a block to set other attributes.
+        #   User.create(:first_name => 'Jamie') do |u|
+        #     u.is_admin = false
+        #   end
+        #
+        #   # Creating an Array of new objects using a block, where the block is executed for each object:
+        #   User.create([{ :first_name => 'Jamie' }, { :first_name => 'Jeremy' }]) do |u|
+        #     u.is_admin = false
+        #   end
+        def create(attributes = nil, options = {}, &block)
+          if attributes.is_a?(Array)
+            attributes.collect { |attr| create(attr, options, &block) }
+          else
+            object = new(attributes, options, &block)
+            object.save
+            object
+          end
+        end
+      end
+
+      # Updates the attributes of the model from the passed-in hash and saves the
+      # record, all wrapped in a transaction. If the object is invalid, the saving
+      # will fail and false will be returned.
+      #
+      # When updating model attributes, mass-assignment security protection is respected.
+      # If no +:as+ option is supplied then the +:default+ role will be used.
+      # If you want to bypass the forbidden attributes protection then you can do so using
+      # the +:without_protection+ option.
+      def update(attributes, options = {})
+        # The following transaction covers any possible database side-effects of the
+        # attributes assignment. For example, setting the IDs of a child collection.
+        with_transaction_returning_status do
+          assign_attributes(attributes, options)
+          save
+        end
+      end
+      alias :update_attributes :update
+
+      # Updates its receiver just like +update_attributes+ but calls <tt>save!</tt> instead
+      # of +save+, so an exception is raised if the record is invalid.
+      def update!(attributes, options = {})
+        # The following transaction covers any possible database side-effects of the
+        # attributes assignment. For example, setting the IDs of a child collection.
+        with_transaction_returning_status do
+          assign_attributes(attributes, options)
+          save!
+        end
+      end
+      alias :update_attributes! :update!
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/reflection.rb

@@ -0,0 +1,21 @@
+module ActiveRecord
+  module Reflection
+    if defined?(AbstractReflection)
+      class AbstractReflection
+        undef :build_association
+
+        def build_association(*options, &block)
+          klass.new(*options, &block)
+        end
+      end
+    else
+      class AssociationReflection
+        undef :build_association
+
+        def build_association(*options, &block)
+          klass.new(*options, &block)
+        end
+      end
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/relation.rb

@@ -0,0 +1,76 @@
+module ActiveRecord
+  class Relation
+    undef :first_or_create
+    undef :first_or_create!
+    undef :first_or_initialize
+    undef :find_or_initialize_by
+    undef :find_or_create_by
+    undef :find_or_create_by!
+
+    # Tries to load the first record; if it fails, then <tt>create</tt> is called with the same arguments as this method.
+    #
+    # Expects arguments in the same format as +Base.create+.
+    #
+    # ==== Examples
+    #   # Find the first user named Penélope or create a new one.
+    #   User.where(:first_name => 'Penélope').first_or_create
+    #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
+    #
+    #   # Find the first user named Penélope or create a new one.
+    #   # We already have one so the existing record will be returned.
+    #   User.where(:first_name => 'Penélope').first_or_create
+    #   # => <User id: 1, first_name: 'Penélope', last_name: nil>
+    #
+    #   # Find the first user named Scarlett or create a new one with a particular last name.
+    #   User.where(:first_name => 'Scarlett').first_or_create(:last_name => 'Johansson')
+    #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
+    #
+    #   # Find the first user named Scarlett or create a new one with a different last name.
+    #   # We already have one so the existing record will be returned.
+    #   User.where(:first_name => 'Scarlett').first_or_create do |user|
+    #     user.last_name = "O'Hara"
+    #   end
+    #   # => <User id: 2, first_name: 'Scarlett', last_name: 'Johansson'>
+    def first_or_create(attributes = nil, options = {}, &block)
+      first || create(attributes, options, &block)
+    end
+
+    # Like <tt>first_or_create</tt> but calls <tt>create!</tt> so an exception is raised if the created record is invalid.
+    #
+    # Expects arguments in the same format as <tt>Base.create!</tt>.
+    def first_or_create!(attributes = nil, options = {}, &block)
+      first || create!(attributes, options, &block)
+    end
+
+    # Like <tt>first_or_create</tt> but calls <tt>new</tt> instead of <tt>create</tt>.
+    #
+    # Expects arguments in the same format as <tt>Base.new</tt>.
+    def first_or_initialize(attributes = nil, options = {}, &block)
+      first || new(attributes, options, &block)
+    end
+
+    def find_or_initialize_by(attributes, options = {}, &block)
+      find_by(attributes) || new(attributes, options, &block)
+    end
+
+    def find_or_create_by(attributes, options = {}, &block)
+      find_by(attributes) || create(attributes, options, &block)
+    end
+
+    def find_or_create_by!(attributes, options = {}, &block)
+      find_by(attributes) || create!(attributes, options, &block)
+    end
+  end
+
+  module QueryMethods
+    protected
+
+    def sanitize_forbidden_attributes(attributes) #:nodoc:
+      if !model._uses_mass_assignment_security
+        sanitize_for_mass_assignment(attributes)
+      else
+        attributes
+      end
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/validations.rb

@@ -0,0 +1,24 @@
+require 'active_support/concern'
+
+module ActiveRecord
+  module MassAssignmentSecurity
+    module Validations
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Creates an object just like Base.create but calls <tt>save!</tt> instead of +save+
+        # so an exception is raised if the record is invalid.
+        def create!(attributes = nil, options = {}, &block)
+          if attributes.is_a?(Array)
+            attributes.collect { |attr| create!(attr, options, &block) }
+          else
+            object = new(attributes, options)
+            yield(object) if block_given?
+            object.save!
+            object
+          end
+        end
+      end
+    end
+  end
+end

data/lib/protected_attributes.rb

@@ -0,0 +1,14 @@
+require "active_model/mass_assignment_security"
+require "protected_attributes/railtie" if defined? Rails::Railtie
+require "protected_attributes/version"
+
+ActiveSupport.on_load :active_record do
+  require "active_record/mass_assignment_security"
+end
+
+ActiveSupport.on_load :action_controller do
+  require "action_controller/accessible_params_wrapper"
+end
+
+module ProtectedAttributes
+end

data/lib/protected_attributes/railtie.rb

@@ -0,0 +1,9 @@
+module ProtectedAttributes
+  class Railtie < ::Rails::Railtie
+    initializer "protected_attributes.active_record", :before => "active_record.set_configs" do |app|
+      if app.config.respond_to?(:active_record) && app.config.active_record.delete(:whitelist_attributes)
+        ActiveSupport::Deprecation.warn "config.active_record.whitelist_attributes is deprecated and have no effect. Remove its call from the configuration."
+      end
+    end
+  end
+end

data/lib/protected_attributes/version.rb

@@ -0,0 +1,3 @@
+module ProtectedAttributes
+  VERSION = "1.2.0"
+end

metadata

@@ -0,0 +1,173 @@
+--- !ruby/object:Gem::Specification
+name: protected_attributes_continued
+version: !ruby/object:Gem::Version
+  version: 1.2.0
+platform: ruby
+authors:
+- David Heinemeier Hansson
+- Weston Ganger
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-08-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Protect attributes from mass assignment
+email:
+- david@loudthinking.com
+- westonganger@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/action_controller/accessible_params_wrapper.rb
+- lib/active_model/mass_assignment_security.rb
+- lib/active_model/mass_assignment_security/permission_set.rb
+- lib/active_model/mass_assignment_security/sanitizer.rb
+- lib/active_record/mass_assignment_security.rb
+- lib/active_record/mass_assignment_security/associations.rb
+- lib/active_record/mass_assignment_security/attribute_assignment.rb
+- lib/active_record/mass_assignment_security/core.rb
+- lib/active_record/mass_assignment_security/inheritance.rb
+- lib/active_record/mass_assignment_security/nested_attributes.rb
+- lib/active_record/mass_assignment_security/persistence.rb
+- lib/active_record/mass_assignment_security/reflection.rb
+- lib/active_record/mass_assignment_security/relation.rb
+- lib/active_record/mass_assignment_security/validations.rb
+- lib/protected_attributes.rb
+- lib/protected_attributes/railtie.rb
+- lib/protected_attributes/version.rb
+homepage: https://github.com/westonganger/protected_attributes_continued
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Protect attributes from mass assignment in Active Record models
+test_files: []