protected_attributes_continued 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2eb844e472b4ede262323c067507b498ad29bd27
-  data.tar.gz: a2c7241c8c82757901c5e065d39a0adbc8dfd5bb
+SHA256:
+  metadata.gz: 8e01eccbad4a21cdd10334379dc742f0edc97dd8a6b99b03e8d1e105d5a159a4
+  data.tar.gz: e41d9f31ea96a9ed1edbc30063ac258f820452554d64d58f6ce0e2945027e74c
 SHA512:
-  metadata.gz: 7d9e0f27404e0f676ed38fc118da71dbc1e9dfa682bb632de1eadc33a96299277793b017467b0f3746ebdbf3bfe80aba726399124536b035b63e5f8827562e6b
-  data.tar.gz: 1ccfdcb731a28be930dee878c1d1d474ecb41a5f40636d96a899d6a8d26a09c8fde2ab403d98da73b1663f539df5ee2c1f48040be585932d474ce1d398c9e94b
+  metadata.gz: 9317411a772594accc0cbc59ca0c07a755b58f1b0c1b6553d5843cb37b6e7f3ec0defb4b5e84686a8564fafff6bb43cd803768fe230dd8b990ee236aa1281620
+  data.tar.gz: 608d732479681ce5d90a231e8f44862e54a7cb0a6ce323088c90f6dc22b52eaa85a0a7e471ee5cbe8979d6514f9f45be3fb6533a4def88dfcd2ae8a12a1ca13c

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2012-2016 Guillermo Iguaran
+Copyright (c) 2012-2017 Guillermo Iguaran
 
 MIT License
 

data/README.md

@@ -1,8 +1,9 @@
 # Protected Attributes Continued
+<a href="https://badge.fury.io/rb/protected_attributes_continued" target="_blank"><img height="21" style='border:0px;height:21px;' border='0' src="https://badge.fury.io/rb/protected_attributes_continued.svg" alt="Gem Version"></a>
+<a href='https://travis-ci.org/westonganger/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://api.travis-ci.org/westonganger/protected_attributes_continued.svg?branch=master' border='0' alt='Build Status' /></a>
+<a href='https://rubygems.org/gems/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://ruby-gem-downloads-badge.herokuapp.com/protected_attributes_continued?label=rubygems&type=total&total_label=downloads&color=brightgreen' border='0' alt='RubyGems Downloads' /></a>
 
-[![Build Status](https://api.travis-ci.org/westonganger/protected_attributes_continued.svg?branch=master)](https://travis-ci.org/westonganger/protected_attributes_continued)
-
-This is the community continued version of `protected_attributes`. It works with Rails 5 only and I recommend you only use it to support legacy portions of your application that you do not want to upgrade. Note that this feature was dropped by the Rails team and switched to strong_parameters because of security issues, just so you understand your risks. This is in use successfully in some of my Rails 5 apps in which security like this is a non-issue. For people who would like to continue using this feature in their Rails 5 apps lets continue the work here. 
+This is the community continued version of `protected_attributes`. It works with Rails 5+ only and I recommend you only use it to support legacy portions of your application that you do not want to upgrade. Note that this feature was dropped by the Rails team and switched to strong_parameters because of security issues, just so you understand your risks. This is in use successfully in some of my Rails 5 apps in which security like this is a non-issue. For people who would like to continue using this feature in their Rails 5 apps lets continue the work here. If you are looking for a similar approach see my [recommended alternative](https://github.com/westonganger/protected_attributes_continued#a-better-alternative)
 
 Protect attributes from mass-assignment in Active Record models.
 
@@ -98,10 +99,49 @@ config.active_record.mass_assignment_sanitizer = :strict
 Any protected attributes violation raises `ActiveModel::MassAssignmentSecurity::Error` then.
 
 
-# Credits
+## Contributing
+
+We use the `appraisal` gem for testing multiple versions of `Rails`. Please use the following steps to test using `appraisal`.
+
+1. `bundle exec appraisal install`
+2. `bundle exec appraisal rake test`
 
-Created and Maintained by [Weston Ganger - @westonganger](https://github.com/westonganger)
+## Credits
+
+Created & Maintained by [Weston Ganger](https://westonganger.com) - [@westonganger](https://github.com/westonganger)
 
 Originally forked from the dead/unmaintained `protected_attributes` gem by the Rails team.
 
-<a href='https://ko-fi.com/A5071NK' target='_blank'><img height='32' style='border:0px;height:32px;' src='https://az743702.vo.msecnd.net/cdn/kofi1.png?v=a' border='0' alt='Buy Me a Coffee' /></a> 
+## A Better Alternative
+
+While I do utilize this gem in some legacy projects I have adopted an alternative approach that is similar to this gem but only utilizes Rails built-in `strong_params` which is a much more future proof way of doing things. See the following example for how to implement.
+
+```ruby
+class Post < ActiveRecord::Base
+
+  def self.strong_params(params)
+    params.permit(:post).permit(:name, :content, :published_at)
+  end
+
+end
+
+class PostsController < ApplicationController
+
+  def create
+    @post = Post.new
+
+    @post.assign_attributes(Post.strong_params(params))
+
+    respond_with @post
+  end
+
+  def update
+    @post = Post.find(params[:id])
+
+    @post.update(Post.strong_params(params))
+
+    respond_with @post
+  end
+
+end
+```

data/lib/active_record/mass_assignment_security/associations.rb

@@ -5,7 +5,8 @@ module ActiveRecord
 
       def build_record(attributes, options)
         reflection.build_association(attributes, options) do |record|
-          attributes = create_scope.except(*(record.changed - [reflection.foreign_key]))
+          the_scope = (ActiveRecord::VERSION::STRING.to_f >= 5.2 ? scope_for_create : create_scope)
+          attributes = the_scope.except(*(record.changed - [reflection.foreign_key]))
           record.assign_attributes(attributes, without_protection: true)
         end
       end

data/lib/active_record/mass_assignment_security/inheritance.rb

@@ -4,20 +4,41 @@ module ActiveRecord
       extend ActiveSupport::Concern
 
       module ClassMethods
-
+  
         private
 
         # Detect the subclass from the inheritance column of attrs. If the inheritance column value
         # is not self or a valid subclass, raises ActiveRecord::SubclassNotFound
-        # If this is a StrongParameters hash, and access to inheritance_column is not permitted,
-        # this will ignore the inheritance column and return nil
-        def subclass_from_attributes?(attrs)
+        def subclass_from_attributes(attrs)
           active_authorizer[:default].deny?(inheritance_column) ? nil : super
         end
+      end
+    end
+  end
+end
 
-        # Support Active Record <= 4.0.3, which uses the old method signature.
-        def subclass_from_attrs(attrs)
-          active_authorizer[:default].deny?(inheritance_column) ? nil : super
+module ActiveRecord
+  module Inheritance
+    module ClassMethods
+      undef :new
+
+      def new(attributes = nil, options = {}, &block)
+        if abstract_class? || self == Base
+          raise NotImplementedError, "#{self} is an abstract class and cannot be instantiated."
+        end
+
+        if has_attribute?(inheritance_column)
+          subclass = subclass_from_attributes(attributes)
+
+          if respond_to?(:column_defaults) && subclass.nil? && base_class == self
+            subclass = subclass_from_attributes(column_defaults)
+          end
+        end
+
+        if subclass && subclass != self
+          subclass.new(attributes, options, &block)
+        else
+          super
         end
       end
     end

data/lib/active_record/mass_assignment_security/nested_attributes.rb

@@ -15,7 +15,11 @@ module ActiveRecord
 
           attr_names.each do |association_name|
             if reflection = reflect_on_association(association_name)
-              reflection.autosave = true
+              if ActiveRecord::VERSION::MAJOR == 4 && ActiveRecord::VERSION::MINOR == 0
+                reflection.options[:autosave] = true
+              else
+                reflection.autosave = true
+              end
               add_autosave_association_callbacks(reflection)
 
               nested_attributes_options = self.nested_attributes_options.dup
@@ -24,7 +28,7 @@ module ActiveRecord
 
               type = (reflection.collection? ? :collection : :one_to_one)
 
-              generated_methods_module = generated_association_methods
+              generated_methods_module = (ActiveRecord::VERSION::MAJOR == 4 && ActiveRecord::VERSION::MINOR == 0) ? generated_feature_methods : generated_association_methods
 
               # def pirate_attributes=(attributes)
               #   assign_nested_attributes_for_one_to_one_association(:pirate, attributes, mass_assignment_options)
@@ -50,6 +54,12 @@ module ActiveRecord
 
       def assign_nested_attributes_for_one_to_one_association(association_name, attributes, assignment_opts = {})
         options = self.nested_attributes_options[association_name]
+        if attributes.class.name == 'ActionController::Parameters'
+          attributes = attributes.to_unsafe_h
+        elsif !attributes.is_a?(Hash) && !attributes.is_a?(Array)
+          raise ArgumentError, "ActionController::Parameters or Hash or Array expected, got #{attributes.class.name} (#{attributes.inspect})"
+        end
+
         attributes = attributes.with_indifferent_access
 
         if  (options[:update_only] || !attributes['id'].blank?) && (record = send(association_name)) &&

data/lib/active_record/mass_assignment_security/relation.rb

@@ -1,5 +1,8 @@
 module ActiveRecord
   class Relation
+    undef :new
+    undef :create
+    undef :create!
     undef :first_or_create
     undef :first_or_create!
     undef :first_or_initialize
@@ -7,6 +10,32 @@ module ActiveRecord
     undef :find_or_create_by
     undef :find_or_create_by!
 
+    def new(attributes = nil, options = {}, &block)
+      attrs = respond_to?(:values_for_create) ? values_for_create(attributes) : attributes
+
+      scoping { klass.new(attrs, options, &block) }
+    end
+
+    def create(attributes = nil, options = {}, &block)
+      if attributes.is_a?(Array)
+        attributes.collect { |attr| create(attr, options, &block) }
+      else
+        attrs = respond_to?(:values_for_create) ? values_for_create(attributes) : attributes
+
+        scoping { klass.create(attrs, options, &block) }
+      end
+    end
+
+    def create!(attributes = nil, options = {}, &block)
+      if attributes.is_a?(Array)
+        attributes.collect { |attr| create!(attr, options, &block) }
+      else
+        attrs = respond_to?(:values_for_create) ? values_for_create(attributes) : attributes
+
+        scoping { klass.create!(attrs, options, &block) }
+      end
+    end
+
     # Tries to load the first record; if it fails, then <tt>create</tt> is called with the same arguments as this method.
     #
     # Expects arguments in the same format as +Base.create+.

data/lib/protected_attributes/version.rb

@@ -1,3 +1,3 @@
 module ProtectedAttributes
-  VERSION = "1.3.0"
+  VERSION = "1.4.0"
 end

metadata

@@ -1,69 +1,69 @@
 --- !ruby/object:Gem::Specification
 name: protected_attributes_continued
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Weston Ganger
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-05 00:00:00.000000000 Z
+date: 2018-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
@@ -82,6 +82,20 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+- !ruby/object:Gem::Dependency
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -96,7 +110,7 @@ dependencies:
         version: '0'
 description: Protect attributes from mass assignment
 email:
-- westonganger@gmail.com
+- weston@westonganger.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -140,8 +154,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Protect attributes from mass assignment in Active Record models