protected_attributes_continued 1.4.0 → 1.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +9 -14
  3. data/lib/active_record/mass_assignment_security/associations.rb +19 -0
  4. data/lib/active_record/mass_assignment_security/nested_attributes.rb +8 -2
  5. data/lib/protected_attributes/version.rb +1 -1
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8e01eccbad4a21cdd10334379dc742f0edc97dd8a6b99b03e8d1e105d5a159a4
4
- data.tar.gz: e41d9f31ea96a9ed1edbc30063ac258f820452554d64d58f6ce0e2945027e74c
3
+ metadata.gz: 70d4e141e5ed0d0cb72742bcd0508f91ecf6eb8c1d245179b2304d8d7a339342
4
+ data.tar.gz: 89934e992683f95f7cf059c349360895041c4f8f7a9502c3e15032ef7e6e1be2
5
5
  SHA512:
6
- metadata.gz: 9317411a772594accc0cbc59ca0c07a755b58f1b0c1b6553d5843cb37b6e7f3ec0defb4b5e84686a8564fafff6bb43cd803768fe230dd8b990ee236aa1281620
7
- data.tar.gz: 608d732479681ce5d90a231e8f44862e54a7cb0a6ce323088c90f6dc22b52eaa85a0a7e471ee5cbe8979d6514f9f45be3fb6533a4def88dfcd2ae8a12a1ca13c
6
+ metadata.gz: a80e1481d125eb604db6992002f5bfb8e679c4bc69daa05b8b58f54c807c29e0b1750b782377898d748dc0304e65ae6ee479b57219c341d8702637d56d4c9b1a
7
+ data.tar.gz: 8f8e18e1468746c56ff4628af838666b0a367e64b52226146bec33404b5260c04a90776132797e06457fcda94ca5fb931638520e0fd26ac55e5b2badfa772b62
data/README.md CHANGED
@@ -3,11 +3,9 @@
3
3
  <a href='https://travis-ci.org/westonganger/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://api.travis-ci.org/westonganger/protected_attributes_continued.svg?branch=master' border='0' alt='Build Status' /></a>
4
4
  <a href='https://rubygems.org/gems/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://ruby-gem-downloads-badge.herokuapp.com/protected_attributes_continued?label=rubygems&type=total&total_label=downloads&color=brightgreen' border='0' alt='RubyGems Downloads' /></a>
5
5
 
6
- This is the community continued version of `protected_attributes`. It works with Rails 5+ only and I recommend you only use it to support legacy portions of your application that you do not want to upgrade. Note that this feature was dropped by the Rails team and switched to strong_parameters because of security issues, just so you understand your risks. This is in use successfully in some of my Rails 5 apps in which security like this is a non-issue. For people who would like to continue using this feature in their Rails 5 apps lets continue the work here. If you are looking for a similar approach see my [recommended alternative](https://github.com/westonganger/protected_attributes_continued#a-better-alternative)
6
+ > This is the community continued version of `protected_attributes` for Rails 5+. I recommend you only use it to support legacy portions of your application that you do not want to upgrade. The Rails team dropped this feature and switched to `strong_parameters` because of security issues. However some applications simply cannot be upgraded or security like this is a non-issue. To continue supporting this feature going forward lets continue the work here.
7
7
 
8
- Protect attributes from mass-assignment in Active Record models.
9
-
10
- This plugin adds the class methods `attr_accessible` and `attr_protected` to your models to be able to declare white or black lists of attributes.
8
+ Protect attributes from mass-assignment in Active Record models. This gem adds the class methods `attr_accessible` and `attr_protected` to declare white or black lists of attributes.
11
9
 
12
10
 
13
11
  ## Installation
@@ -98,7 +96,6 @@ config.active_record.mass_assignment_sanitizer = :strict
98
96
 
99
97
  Any protected attributes violation raises `ActiveModel::MassAssignmentSecurity::Error` then.
100
98
 
101
-
102
99
  ## Contributing
103
100
 
104
101
  We use the `appraisal` gem for testing multiple versions of `Rails`. Please use the following steps to test using `appraisal`.
@@ -112,25 +109,24 @@ Created & Maintained by [Weston Ganger](https://westonganger.com) - [@westongang
112
109
 
113
110
  Originally forked from the dead/unmaintained `protected_attributes` gem by the Rails team.
114
111
 
115
- ## A Better Alternative
112
+ ## A Simple and Similar strong_params Alternative
116
113
 
117
- While I do utilize this gem in some legacy projects I have adopted an alternative approach that is similar to this gem but only utilizes Rails built-in `strong_params` which is a much more future proof way of doing things. See the following example for how to implement.
114
+ While I do utilize this gem in some legacy projects. The latest approach I have adopted is similar to this gem but only utilizes Rails built-in `strong_params` which is a much more future proof way of doing things. The following is an example implementation.
118
115
 
119
116
  ```ruby
117
+ ### Model
120
118
  class Post < ActiveRecord::Base
121
-
122
119
  def self.strong_params(params)
123
120
  params.permit(:post).permit(:name, :content, :published_at)
124
121
  end
125
-
126
122
  end
127
123
 
124
+ ### Controller
128
125
  class PostsController < ApplicationController
129
-
130
126
  def create
131
- @post = Post.new
132
-
133
- @post.assign_attributes(Post.strong_params(params))
127
+ @post = Post.new(Post.strong_params(params))
128
+
129
+ @post.save
134
130
 
135
131
  respond_with @post
136
132
  end
@@ -142,6 +138,5 @@ class PostsController < ApplicationController
142
138
 
143
139
  respond_with @post
144
140
  end
145
-
146
141
  end
147
142
  ```
data/lib/active_record/mass_assignment_security/associations.rb CHANGED
@@ -96,6 +96,25 @@ module ActiveRecord
96
96
  undef :build_record
97
97
  undef :options_for_through_record if respond_to?(:options_for_through_record, false)
98
98
 
99
+ if ActiveRecord.version >= Gem::Version.new('5.2.3')
100
+ undef :build_through_record
101
+
102
+ def build_through_record(record)
103
+ @through_records[record.object_id] ||= begin
104
+ ensure_mutable
105
+
106
+ attributes = through_scope_attributes
107
+ attributes[source_reflection.name] = record
108
+ attributes[source_reflection.foreign_type] = options[:source_type] if options[:source_type]
109
+
110
+ # Pass in `without_protection: true` here because `options_for_through_record`
111
+ # was removed in https://github.com/rails/rails/pull/35799
112
+ through_association.build(attributes, without_protection: true)
113
+ end
114
+ end
115
+ private :build_through_record
116
+ end
117
+
99
118
  def build_record(attributes, options = {})
100
119
  ensure_not_nested
101
120
 
data/lib/active_record/mass_assignment_security/nested_attributes.rb CHANGED
@@ -54,6 +54,7 @@ module ActiveRecord
54
54
 
55
55
  def assign_nested_attributes_for_one_to_one_association(association_name, attributes, assignment_opts = {})
56
56
  options = self.nested_attributes_options[association_name]
57
+
57
58
  if attributes.class.name == 'ActionController::Parameters'
58
59
  attributes = attributes.to_unsafe_h
59
60
  elsif !attributes.is_a?(Hash) && !attributes.is_a?(Array)
@@ -62,8 +63,7 @@ module ActiveRecord
62
63
 
63
64
  attributes = attributes.with_indifferent_access
64
65
 
65
- if (options[:update_only] || !attributes['id'].blank?) && (record = send(association_name)) &&
66
- (options[:update_only] || record.id.to_s == attributes['id'].to_s)
66
+ if (options[:update_only] || !attributes['id'].blank?) && (record = send(association_name)) && (options[:update_only] || record.id.to_s == attributes['id'].to_s)
67
67
  assign_to_or_mark_for_destruction(record, attributes, options[:allow_destroy], assignment_opts) unless call_reject_if(association_name, attributes)
68
68
 
69
69
  elsif attributes['id'].present? && !assignment_opts[:without_protection]
@@ -122,6 +122,12 @@ module ActiveRecord
122
122
  end
123
123
 
124
124
  attributes_collection.each do |attributes|
125
+ if attributes.class.name == 'ActionController::Parameters'
126
+ attributes = attributes.to_unsafe_h
127
+ elsif !attributes.is_a?(Hash) && !attributes.is_a?(Array)
128
+ raise ArgumentError, "ActionController::Parameters or Hash or Array expected, got #{attributes.class.name} (#{attributes.inspect})"
129
+ end
130
+
125
131
  attributes = attributes.with_indifferent_access
126
132
 
127
133
  if attributes['id'].blank?
data/lib/protected_attributes/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module ProtectedAttributes
2
- VERSION = "1.4.0"
2
+ VERSION = "1.5.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: protected_attributes_continued
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.0
4
+ version: 1.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Weston Ganger
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-12-28 00:00:00.000000000 Z
11
+ date: 2019-08-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activemodel
@@ -154,7 +154,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
154
154
  - !ruby/object:Gem::Version
155
155
  version: '0'
156
156
  requirements: []
157
- rubygems_version: 3.0.1
157
+ rubygems_version: 3.0.3
158
158
  signing_key:
159
159
  specification_version: 4
160
160
  summary: Protect attributes from mass assignment in Active Record models