protected_attributes_continued 1.3.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2eb844e472b4ede262323c067507b498ad29bd27
-  data.tar.gz: a2c7241c8c82757901c5e065d39a0adbc8dfd5bb
+SHA256:
+  metadata.gz: 3a53af38e43c5d8fee4bf8cb3f199422844d27b7104ac13e3c31b7bdc7af192a
+  data.tar.gz: 318cd88bd28f923e8ba90c5dc9e8e837cab4427501adde30b1797ab24234c96d
 SHA512:
-  metadata.gz: 7d9e0f27404e0f676ed38fc118da71dbc1e9dfa682bb632de1eadc33a96299277793b017467b0f3746ebdbf3bfe80aba726399124536b035b63e5f8827562e6b
-  data.tar.gz: 1ccfdcb731a28be930dee878c1d1d474ecb41a5f40636d96a899d6a8d26a09c8fde2ab403d98da73b1663f539df5ee2c1f48040be585932d474ce1d398c9e94b
+  metadata.gz: d9dcf4759ad7112b4b8d3191c28458ae8aa36503ae945fc481ca798e1c3e4f86bc815fc63da6d0dee616f88b70563c30e8d5a19da6ac26c05eecdf99172a2540
+  data.tar.gz: d3ffa567d9ce6896bb1ddd398a796eef5bedbf090dc08e8b00db56cdc4b132cc9776ed42b48a637382b1027dff2f40a419a8f7f4e965132ac996b21b00043e90

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2012-2016 Guillermo Iguaran
+Copyright (c) 2012-2017 Guillermo Iguaran
 
 MIT License
 

data/README.md

@@ -1,12 +1,11 @@
 # Protected Attributes Continued
+<a href="https://badge.fury.io/rb/protected_attributes_continued" target="_blank"><img height="21" style='border:0px;height:21px;' border='0' src="https://badge.fury.io/rb/protected_attributes_continued.svg" alt="Gem Version"></a>
+<a href='https://github.com/westonganger/protected_attributes_continued/actions' target='_blank'><img src="https://github.com/westonganger/protected_attributes_continued/workflows/Tests/badge.svg" style="max-width:100%;" height='21' style='border:0px;height:21px;' border='0' alt="CI Status"></a>
+<a href='https://rubygems.org/gems/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://ruby-gem-downloads-badge.herokuapp.com/protected_attributes_continued?label=rubygems&type=total&total_label=downloads&color=brightgreen' border='0' alt='RubyGems Downloads' /></a>
 
-[![Build Status](https://api.travis-ci.org/westonganger/protected_attributes_continued.svg?branch=master)](https://travis-ci.org/westonganger/protected_attributes_continued)
+> This is the community continued version of [`protected_attributes`](https://github.com/rails/protected_attributes) for Rails 5+. The Rails team dropped this feature and switched to `strong_parameters`. However some applications simply cannot be upgraded or the reduced granularity in params management is a non-issue. To continue supporting this feature going forward we continue the work here.
 
-This is the community continued version of `protected_attributes`. It works with Rails 5 only and I recommend you only use it to support legacy portions of your application that you do not want to upgrade. Note that this feature was dropped by the Rails team and switched to strong_parameters because of security issues, just so you understand your risks. This is in use successfully in some of my Rails 5 apps in which security like this is a non-issue. For people who would like to continue using this feature in their Rails 5 apps lets continue the work here. 
-
-Protect attributes from mass-assignment in Active Record models.
-
-This plugin adds the class methods `attr_accessible` and `attr_protected` to your models to be able to declare white or black lists of attributes.
+Protect attributes from mass-assignment in Active Record models. This gem adds the class methods `attr_accessible` and `attr_protected` to declare white or black lists of attributes.
 
 
 ## Installation
@@ -97,11 +96,64 @@ config.active_record.mass_assignment_sanitizer = :strict
 
 Any protected attributes violation raises `ActiveModel::MassAssignmentSecurity::Error` then.
 
+## Contributing
+
+For quicker feedback during gem development or debugging feel free to use the provided `rake console` task. It is defined within the [`Rakefile`](./Rakefile).
+
+We test multiple versions of `Rails` using the `appraisal` gem. Please use the following steps to test using `appraisal`.
+
+1. `bundle exec appraisal install`
+2. `bundle exec appraisal rake test`
 
-# Credits
+## Credits
 
-Created and Maintained by [Weston Ganger - @westonganger](https://github.com/westonganger)
+Created & Maintained by [Weston Ganger](https://westonganger.com) - [@westonganger](https://github.com/westonganger)
 
-Originally forked from the dead/unmaintained `protected_attributes` gem by the Rails team.
+Originally forked from the dead/unmaintained [`protected_attributes`](https://github.com/rails/protected_attributes) gem by the Rails team.
 
-<a href='https://ko-fi.com/A5071NK' target='_blank'><img height='32' style='border:0px;height:32px;' src='https://az743702.vo.msecnd.net/cdn/kofi1.png?v=a' border='0' alt='Buy Me a Coffee' /></a> 
+## A Simple and Similar strong_params Alternative
+
+While I do utilize this gem in some legacy projects. The latest approach I have adopted is similar to this gem but only utilizes Rails built-in `strong_params` which is a much more future proof way of doing things. The following is an example implementation.
+
+```ruby
+### Model
+class Post < ActiveRecord::Base
+  has_many :comments
+
+  accepts_nested_attributes_for :comments, allow_destroy: true
+  
+  def self.strong_params(params)
+    params.permit(:post).permit(*PERMITTED_ATTRIBUTES)
+  end
+  
+  PERMITTED_PARAMETERS = [
+    :id,
+    :name,
+    :content,
+    :published_at,
+    {
+      comments_attributes: Comment::PERMITTED_PARAMETERS,
+    }
+  ].freeze
+  
+end
+
+### Controller
+class PostsController < ApplicationController
+  def create
+    @post = Post.new(Post.strong_params(params))
+    
+    @post.save
+
+    respond_with @post
+  end
+
+  def update
+    @post = Post.find(params[:id])
+
+    @post.update(Post.strong_params(params))
+
+    respond_with @post
+  end
+end
+```

data/lib/active_record/mass_assignment_security.rb

@@ -7,6 +7,7 @@ require "active_record/mass_assignment_security/nested_attributes"
 require "active_record/mass_assignment_security/persistence"
 require "active_record/mass_assignment_security/reflection"
 require "active_record/mass_assignment_security/relation"
+require "active_record/mass_assignment_security/association_relation"
 require "active_record/mass_assignment_security/validations"
 require "active_record/mass_assignment_security/associations"
 require "active_record/mass_assignment_security/inheritance"

data/lib/active_record/mass_assignment_security/association_relation.rb

@@ -0,0 +1,33 @@
+module ActiveRecord
+  class AssociationRelation
+    undef :new
+    undef :create
+    undef :create!
+
+    def build(attributes = nil, options = {}, &block)
+      if ActiveRecord::VERSION::STRING.to_f < 5.2
+        scoping { @association.build(attributes, options, &block) }
+      else
+        @association.build(attributes, options, &block)
+      end
+    end
+    alias new build
+
+    def create(attributes = nil, options = {}, &block)
+      if ActiveRecord::VERSION::STRING.to_f < 5.2
+        scoping { @association.create(attributes, options, &block) }
+      else
+        @association.create(attributes, options, &block)
+      end
+    end
+
+    def create!(attributes = nil, options = {}, &block)
+      if ActiveRecord::VERSION::STRING.to_f < 5.2
+        scoping { @association.create!(attributes, options, &block) }
+      else
+        @association.create!(attributes, options, &block)
+      end
+    end
+
+  end
+end

data/lib/active_record/mass_assignment_security/associations.rb

@@ -1,3 +1,5 @@
+### Original Rails Code - https://github.com/rails/rails/tree/master/activerecord/lib/active_record/associations
+
 module ActiveRecord
   module Associations
     class Association
@@ -5,11 +7,11 @@ module ActiveRecord
 
       def build_record(attributes, options)
         reflection.build_association(attributes, options) do |record|
-          attributes = create_scope.except(*(record.changed - [reflection.foreign_key]))
+          the_scope = (ActiveRecord::VERSION::STRING.to_f >= 5.2 ? scope_for_create : create_scope)
+          attributes = the_scope.except(*(record.changed - [reflection.foreign_key]))
           record.assign_attributes(attributes, without_protection: true)
         end
       end
-
       private :build_record
     end
 
@@ -52,7 +54,6 @@ module ActiveRecord
           end
         end
       end
-
       private :create_record
     end
 
@@ -75,26 +76,41 @@ module ActiveRecord
     end
 
     module ThroughAssociation
-      undef :build_record if respond_to?(:build_record, false)
+      ### Cant use respond_to?(method, true) because its a module instead of a class
+      undef :build_record if self.private_instance_methods.include?(:build_record)
+      def build_record(attributes, options={})
+        inverse = source_reflection.inverse_of
+        target = through_association.target
 
-      private
+        if inverse && target && !target.is_a?(Array)
+          attributes[inverse.foreign_key] = target.id
+        end
 
-        def build_record(attributes, options={})
-          inverse = source_reflection.inverse_of
-          target = through_association.target
+        super(attributes, options)
+      end
+      private :build_record
+    end
 
-          if inverse && target && !target.is_a?(Array)
-            attributes[inverse.foreign_key] = target.id
+    class HasManyThroughAssociation
+      if ActiveRecord.version >= Gem::Version.new('5.2.3')
+        undef :build_through_record
+        def build_through_record(record)
+          @through_records[record.object_id] ||= begin
+            ensure_mutable
+
+            attributes = through_scope_attributes
+            attributes[source_reflection.name] = record
+            attributes[source_reflection.foreign_type] = options[:source_type] if options[:source_type]
+
+            # Pass in `without_protection: true` here because `options_for_through_record`
+            # was removed in https://github.com/rails/rails/pull/35799
+            through_association.build(attributes, without_protection: true)
           end
-
-          super(attributes, options)
         end
-    end
+        private :build_through_record
+      end
 
-    class HasManyThroughAssociation
       undef :build_record
-      undef :options_for_through_record if respond_to?(:options_for_through_record, false)
-
       def build_record(attributes, options = {})
         ensure_not_nested
 
@@ -113,6 +129,7 @@ module ActiveRecord
       end
       private :build_record
 
+      undef :options_for_through_record if respond_to?(:options_for_through_record, true)
       def options_for_through_record
         [through_scope_attributes, without_protection: true]
       end

data/lib/active_record/mass_assignment_security/attribute_assignment.rb

@@ -12,9 +12,17 @@ module ActiveRecord
 
         # The primary key and inheritance column can never be set by mass-assignment for security reasons.
         def attributes_protected_by_default
-          default = [ primary_key, inheritance_column ]
-          default << 'id' unless primary_key.eql? 'id'
-          default
+          begin
+            default = [primary_key, inheritance_column]
+
+            if !primary_key.eql?('id')
+              default << 'id'
+            end
+          rescue ActiveRecord::NoDatabaseError
+            default = []
+          end
+
+          return default
         end
       end
 

data/lib/active_record/mass_assignment_security/core.rb

@@ -3,6 +3,7 @@ module ActiveRecord
     module Core
 
       def initialize(attributes = nil, options = {})
+        @new_record = true
         self.class.define_attribute_methods
         @attributes = self.class._default_attributes.deep_dup
 

data/lib/active_record/mass_assignment_security/inheritance.rb

@@ -4,20 +4,41 @@ module ActiveRecord
       extend ActiveSupport::Concern
 
       module ClassMethods
-
+  
         private
 
         # Detect the subclass from the inheritance column of attrs. If the inheritance column value
         # is not self or a valid subclass, raises ActiveRecord::SubclassNotFound
-        # If this is a StrongParameters hash, and access to inheritance_column is not permitted,
-        # this will ignore the inheritance column and return nil
-        def subclass_from_attributes?(attrs)
+        def subclass_from_attributes(attrs)
           active_authorizer[:default].deny?(inheritance_column) ? nil : super
         end
+      end
+    end
+  end
+end
 
-        # Support Active Record <= 4.0.3, which uses the old method signature.
-        def subclass_from_attrs(attrs)
-          active_authorizer[:default].deny?(inheritance_column) ? nil : super
+module ActiveRecord
+  module Inheritance
+    module ClassMethods
+      undef :new
+
+      def new(attributes = nil, options = {}, &block)
+        if abstract_class? || self == Base
+          raise NotImplementedError, "#{self} is an abstract class and cannot be instantiated."
+        end
+
+        if has_attribute?(inheritance_column)
+          subclass = subclass_from_attributes(attributes)
+
+          if respond_to?(:column_defaults) && subclass.nil? && base_class == self
+            subclass = subclass_from_attributes(column_defaults)
+          end
+        end
+
+        if subclass && subclass != self
+          subclass.new(attributes, options, &block)
+        else
+          super
         end
       end
     end

data/lib/active_record/mass_assignment_security/nested_attributes.rb

@@ -15,7 +15,11 @@ module ActiveRecord
 
           attr_names.each do |association_name|
             if reflection = reflect_on_association(association_name)
-              reflection.autosave = true
+              if ActiveRecord::VERSION::MAJOR == 4 && ActiveRecord::VERSION::MINOR == 0
+                reflection.options[:autosave] = true
+              else
+                reflection.autosave = true
+              end
               add_autosave_association_callbacks(reflection)
 
               nested_attributes_options = self.nested_attributes_options.dup
@@ -24,7 +28,7 @@ module ActiveRecord
 
               type = (reflection.collection? ? :collection : :one_to_one)
 
-              generated_methods_module = generated_association_methods
+              generated_methods_module = (ActiveRecord::VERSION::MAJOR == 4 && ActiveRecord::VERSION::MINOR == 0) ? generated_feature_methods : generated_association_methods
 
               # def pirate_attributes=(attributes)
               #   assign_nested_attributes_for_one_to_one_association(:pirate, attributes, mass_assignment_options)
@@ -50,10 +54,16 @@ module ActiveRecord
 
       def assign_nested_attributes_for_one_to_one_association(association_name, attributes, assignment_opts = {})
         options = self.nested_attributes_options[association_name]
+
+        if attributes.class.name == 'ActionController::Parameters'
+          attributes = attributes.to_unsafe_h
+        elsif !attributes.is_a?(Hash) && !attributes.is_a?(Array)
+          raise ArgumentError, "ActionController::Parameters or Hash or Array expected, got #{attributes.class.name} (#{attributes.inspect})"
+        end
+
         attributes = attributes.with_indifferent_access
 
-        if  (options[:update_only] || !attributes['id'].blank?) && (record = send(association_name)) &&
-            (options[:update_only] || record.id.to_s == attributes['id'].to_s)
+        if (options[:update_only] || !attributes['id'].blank?) && (record = send(association_name)) && (options[:update_only] || record.id.to_s == attributes['id'].to_s)
           assign_to_or_mark_for_destruction(record, attributes, options[:allow_destroy], assignment_opts) unless call_reject_if(association_name, attributes)
 
         elsif attributes['id'].present? && !assignment_opts[:without_protection]
@@ -112,6 +122,12 @@ module ActiveRecord
         end
 
         attributes_collection.each do |attributes|
+          if attributes.class.name == 'ActionController::Parameters'
+            attributes = attributes.to_unsafe_h
+          elsif !attributes.is_a?(Hash) && !attributes.is_a?(Array)
+            raise ArgumentError, "ActionController::Parameters or Hash or Array expected, got #{attributes.class.name} (#{attributes.inspect})"
+          end
+          
           attributes = attributes.with_indifferent_access
 
           if attributes['id'].blank?

data/lib/active_record/mass_assignment_security/relation.rb

@@ -1,5 +1,8 @@
 module ActiveRecord
   class Relation
+    undef :new
+    undef :create
+    undef :create!
     undef :first_or_create
     undef :first_or_create!
     undef :first_or_initialize
@@ -7,6 +10,32 @@ module ActiveRecord
     undef :find_or_create_by
     undef :find_or_create_by!
 
+    def new(attributes = nil, options = {}, &block)
+      attrs = respond_to?(:values_for_create) ? values_for_create(attributes) : attributes
+
+      scoping { klass.new(attrs, options, &block) }
+    end
+
+    def create(attributes = nil, options = {}, &block)
+      if attributes.is_a?(Array)
+        attributes.collect { |attr| create(attr, options, &block) }
+      else
+        attrs = respond_to?(:values_for_create) ? values_for_create(attributes) : attributes
+
+        scoping { klass.create(attrs, options, &block) }
+      end
+    end
+
+    def create!(attributes = nil, options = {}, &block)
+      if attributes.is_a?(Array)
+        attributes.collect { |attr| create!(attr, options, &block) }
+      else
+        attrs = respond_to?(:values_for_create) ? values_for_create(attributes) : attributes
+
+        scoping { klass.create!(attrs, options, &block) }
+      end
+    end
+
     # Tries to load the first record; if it fails, then <tt>create</tt> is called with the same arguments as this method.
     #
     # Expects arguments in the same format as +Base.create+.

data/lib/protected_attributes/version.rb

@@ -1,3 +1,3 @@
 module ProtectedAttributes
-  VERSION = "1.3.0"
+  VERSION = "1.8.0".freeze
 end

metadata

@@ -1,87 +1,87 @@
 --- !ruby/object:Gem::Specification
 name: protected_attributes_continued
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Weston Ganger
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-05 00:00:00.000000000 Z
+date: 2021-03-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.4.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.4.0
 - !ruby/object:Gem::Dependency
-  name: mocha
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -96,7 +96,7 @@ dependencies:
         version: '0'
 description: Protect attributes from mass assignment
 email:
-- westonganger@gmail.com
+- weston@westonganger.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -108,6 +108,7 @@ files:
 - lib/active_model/mass_assignment_security/permission_set.rb
 - lib/active_model/mass_assignment_security/sanitizer.rb
 - lib/active_record/mass_assignment_security.rb
+- lib/active_record/mass_assignment_security/association_relation.rb
 - lib/active_record/mass_assignment_security/associations.rb
 - lib/active_record/mass_assignment_security/attribute_assignment.rb
 - lib/active_record/mass_assignment_security/core.rb
@@ -140,8 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Protect attributes from mass assignment in Active Record models