protected_attributes_continued 1.4.0 → 1.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e01eccbad4a21cdd10334379dc742f0edc97dd8a6b99b03e8d1e105d5a159a4
-  data.tar.gz: e41d9f31ea96a9ed1edbc30063ac258f820452554d64d58f6ce0e2945027e74c
+  metadata.gz: 5e881236bacf8378d98f06eb98269417a5082383de65360f522e524062fbcdfb
+  data.tar.gz: 45f598ce1954ed9542934e676af3ac8f53e6b5c6dea2c35e87b3100721d2522a
 SHA512:
-  metadata.gz: 9317411a772594accc0cbc59ca0c07a755b58f1b0c1b6553d5843cb37b6e7f3ec0defb4b5e84686a8564fafff6bb43cd803768fe230dd8b990ee236aa1281620
-  data.tar.gz: 608d732479681ce5d90a231e8f44862e54a7cb0a6ce323088c90f6dc22b52eaa85a0a7e471ee5cbe8979d6514f9f45be3fb6533a4def88dfcd2ae8a12a1ca13c
+  metadata.gz: 30fb108c2db47feeb17c7787dc1427a44e93b7ac47450d79f20d59a3bf814d3f8314eb42ee71a76bd3e1f54dbec508d56e917ab0f57d5a6c7c7e5a68a4ac2d8d
+  data.tar.gz: '0486645654d15f177a2ba9abd27069c598b9d08884a7beb4db9d7813ce79604265d0eab9263f937aa0957c963cbd66dc435d4628993381793789068d04d0573b'

data/README.md

@@ -1,13 +1,11 @@
 # Protected Attributes Continued
 <a href="https://badge.fury.io/rb/protected_attributes_continued" target="_blank"><img height="21" style='border:0px;height:21px;' border='0' src="https://badge.fury.io/rb/protected_attributes_continued.svg" alt="Gem Version"></a>
-<a href='https://travis-ci.org/westonganger/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://api.travis-ci.org/westonganger/protected_attributes_continued.svg?branch=master' border='0' alt='Build Status' /></a>
+<a href='https://github.com/westonganger/protected_attributes_continued/actions' target='_blank'><img src="https://github.com/westonganger/protected_attributes_continued/workflows/Tests/badge.svg" style="max-width:100%;" height='21' style='border:0px;height:21px;' border='0' alt="CI Status"></a>
 <a href='https://rubygems.org/gems/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://ruby-gem-downloads-badge.herokuapp.com/protected_attributes_continued?label=rubygems&type=total&total_label=downloads&color=brightgreen' border='0' alt='RubyGems Downloads' /></a>
 
-This is the community continued version of `protected_attributes`. It works with Rails 5+ only and I recommend you only use it to support legacy portions of your application that you do not want to upgrade. Note that this feature was dropped by the Rails team and switched to strong_parameters because of security issues, just so you understand your risks. This is in use successfully in some of my Rails 5 apps in which security like this is a non-issue. For people who would like to continue using this feature in their Rails 5 apps lets continue the work here. If you are looking for a similar approach see my [recommended alternative](https://github.com/westonganger/protected_attributes_continued#a-better-alternative)
+> This is the community continued version of [`protected_attributes`](https://github.com/rails/protected_attributes) for Rails 5+. The Rails team dropped this feature and switched to `strong_parameters`. However some applications simply cannot be upgraded or the reduced granularity in params management is a non-issue. To continue supporting this feature going forward we continue the work here.
 
-Protect attributes from mass-assignment in Active Record models.
-
-This plugin adds the class methods `attr_accessible` and `attr_protected` to your models to be able to declare white or black lists of attributes.
+Protect attributes from mass-assignment in Active Record models. This gem adds the class methods `attr_accessible` and `attr_protected` to declare white or black lists of attributes.
 
 
 ## Installation
@@ -98,10 +96,11 @@ config.active_record.mass_assignment_sanitizer = :strict
 
 Any protected attributes violation raises `ActiveModel::MassAssignmentSecurity::Error` then.
 
-
 ## Contributing
 
-We use the `appraisal` gem for testing multiple versions of `Rails`. Please use the following steps to test using `appraisal`.
+For quicker feedback during gem development or debugging feel free to use the provided `rake console` task. It is defined within the [`Rakefile`](./Rakefile).
+
+We test multiple versions of `Rails` using the `appraisal` gem. Please use the following steps to test using `appraisal`.
 
 1. `bundle exec appraisal install`
 2. `bundle exec appraisal rake test`
@@ -110,27 +109,41 @@ We use the `appraisal` gem for testing multiple versions of `Rails`. Please use
 
 Created & Maintained by [Weston Ganger](https://westonganger.com) - [@westonganger](https://github.com/westonganger)
 
-Originally forked from the dead/unmaintained `protected_attributes` gem by the Rails team.
+Originally forked from the dead/unmaintained [`protected_attributes`](https://github.com/rails/protected_attributes) gem by the Rails team.
 
-## A Better Alternative
+## A Simple and Similar strong_params Alternative
 
-While I do utilize this gem in some legacy projects I have adopted an alternative approach that is similar to this gem but only utilizes Rails built-in `strong_params` which is a much more future proof way of doing things. See the following example for how to implement.
+While I do utilize this gem in some legacy projects. The latest approach I have adopted is similar to this gem but only utilizes Rails built-in `strong_params` which is a much more future proof way of doing things. The following is an example implementation.
 
 ```ruby
+### Model
 class Post < ActiveRecord::Base
+  has_many :comments
 
+  accepts_nested_attributes_for :comments, allow_destroy: true
+  
   def self.strong_params(params)
-    params.permit(:post).permit(:name, :content, :published_at)
+    params.permit(:post).permit(*PERMITTED_ATTRIBUTES)
   end
-
+  
+  PERMITTED_PARAMETERS = [
+    :id,
+    :name,
+    :content,
+    :published_at,
+    {
+      comments_attributes: Comment::PERMITTED_PARAMETERS,
+    }
+  ].freeze
+  
 end
 
+### Controller
 class PostsController < ApplicationController
-
   def create
-    @post = Post.new
-
-    @post.assign_attributes(Post.strong_params(params))
+    @post = Post.new(Post.strong_params(params))
+    
+    @post.save
 
     respond_with @post
   end
@@ -142,6 +155,5 @@ class PostsController < ApplicationController
 
     respond_with @post
   end
-
 end
 ```

data/lib/active_record/mass_assignment_security.rb

@@ -7,6 +7,7 @@ require "active_record/mass_assignment_security/nested_attributes"
 require "active_record/mass_assignment_security/persistence"
 require "active_record/mass_assignment_security/reflection"
 require "active_record/mass_assignment_security/relation"
+require "active_record/mass_assignment_security/association_relation"
 require "active_record/mass_assignment_security/validations"
 require "active_record/mass_assignment_security/associations"
 require "active_record/mass_assignment_security/inheritance"

data/lib/active_record/mass_assignment_security/association_relation.rb

@@ -0,0 +1,45 @@
+module ActiveRecord
+  class AssociationRelation
+    undef :new
+    undef :create
+    undef :create!
+
+    def build(attributes = nil, options = {}, &block)
+      block = protected_attributes_scope_block('new', block)
+      scoping { @association.build(attributes, options, &block) }
+    end
+    alias new build
+
+    def create(attributes = nil, options = {}, &block)
+      block = protected_attributes_scope_block('create', block)
+      scoping { @association.create(attributes, options, &block) }
+    end
+
+    def create!(attributes = nil, options = {}, &block)
+      block = protected_attributes_scope_block('create!', block)
+      scoping { @association.create!(attributes, options, &block) }
+    end
+
+    private
+
+    if ActiveRecord.gem_version < Gem::Version.new('6.0')
+
+      def protected_attributes_scope_block(_label, block)
+        block
+      end
+
+    elsif ActiveRecord.gem_version < Gem::Version.new('6.1')
+
+      def protected_attributes_scope_block(label, block)
+        _deprecated_scope_block(label, &block)
+      end
+
+    else
+
+      def protected_attributes_scope_block(_label, block)
+        current_scope_restoring_block(&block)
+      end
+
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/associations.rb

@@ -1,3 +1,5 @@
+### Original Rails Code - https://github.com/rails/rails/tree/master/activerecord/lib/active_record/associations
+
 module ActiveRecord
   module Associations
     class Association
@@ -10,7 +12,6 @@ module ActiveRecord
           record.assign_attributes(attributes, without_protection: true)
         end
       end
-
       private :build_record
     end
 
@@ -53,7 +54,6 @@ module ActiveRecord
           end
         end
       end
-
       private :create_record
     end
 
@@ -76,26 +76,41 @@ module ActiveRecord
     end
 
     module ThroughAssociation
-      undef :build_record if respond_to?(:build_record, false)
+      ### Cant use respond_to?(method, true) because its a module instead of a class
+      undef :build_record if self.private_instance_methods.include?(:build_record)
+      def build_record(attributes, options={})
+        inverse = source_reflection.inverse_of
+        target = through_association.target
 
-      private
+        if inverse && target && !target.is_a?(Array)
+          attributes[inverse.foreign_key] = target.id
+        end
 
-        def build_record(attributes, options={})
-          inverse = source_reflection.inverse_of
-          target = through_association.target
+        super(attributes, options)
+      end
+      private :build_record
+    end
 
-          if inverse && target && !target.is_a?(Array)
-            attributes[inverse.foreign_key] = target.id
+    class HasManyThroughAssociation
+      if ActiveRecord.version >= Gem::Version.new('5.2.3')
+        undef :build_through_record
+        def build_through_record(record)
+          @through_records[record.object_id] ||= begin
+            ensure_mutable
+
+            attributes = through_scope_attributes
+            attributes[source_reflection.name] = record
+            attributes[source_reflection.foreign_type] = options[:source_type] if options[:source_type]
+
+            # Pass in `without_protection: true` here because `options_for_through_record`
+            # was removed in https://github.com/rails/rails/pull/35799
+            through_association.build(attributes, without_protection: true)
           end
-
-          super(attributes, options)
         end
-    end
+        private :build_through_record
+      end
 
-    class HasManyThroughAssociation
       undef :build_record
-      undef :options_for_through_record if respond_to?(:options_for_through_record, false)
-
       def build_record(attributes, options = {})
         ensure_not_nested
 
@@ -114,6 +129,7 @@ module ActiveRecord
       end
       private :build_record
 
+      undef :options_for_through_record if respond_to?(:options_for_through_record, true)
       def options_for_through_record
         [through_scope_attributes, without_protection: true]
       end

data/lib/active_record/mass_assignment_security/attribute_assignment.rb

@@ -12,9 +12,17 @@ module ActiveRecord
 
         # The primary key and inheritance column can never be set by mass-assignment for security reasons.
         def attributes_protected_by_default
-          default = [ primary_key, inheritance_column ]
-          default << 'id' unless primary_key.eql? 'id'
-          default
+          begin
+            default = [primary_key, inheritance_column]
+
+            if !primary_key.eql?('id')
+              default << 'id'
+            end
+          rescue ActiveRecord::NoDatabaseError
+            default = []
+          end
+
+          return default
         end
       end
 

data/lib/active_record/mass_assignment_security/core.rb

@@ -3,6 +3,7 @@ module ActiveRecord
     module Core
 
       def initialize(attributes = nil, options = {})
+        @new_record = true
         self.class.define_attribute_methods
         @attributes = self.class._default_attributes.deep_dup
 

data/lib/active_record/mass_assignment_security/nested_attributes.rb

@@ -54,6 +54,7 @@ module ActiveRecord
 
       def assign_nested_attributes_for_one_to_one_association(association_name, attributes, assignment_opts = {})
         options = self.nested_attributes_options[association_name]
+
         if attributes.class.name == 'ActionController::Parameters'
           attributes = attributes.to_unsafe_h
         elsif !attributes.is_a?(Hash) && !attributes.is_a?(Array)
@@ -62,8 +63,7 @@ module ActiveRecord
 
         attributes = attributes.with_indifferent_access
 
-        if  (options[:update_only] || !attributes['id'].blank?) && (record = send(association_name)) &&
-            (options[:update_only] || record.id.to_s == attributes['id'].to_s)
+        if (options[:update_only] || !attributes['id'].blank?) && (record = send(association_name)) && (options[:update_only] || record.id.to_s == attributes['id'].to_s)
           assign_to_or_mark_for_destruction(record, attributes, options[:allow_destroy], assignment_opts) unless call_reject_if(association_name, attributes)
 
         elsif attributes['id'].present? && !assignment_opts[:without_protection]
@@ -122,6 +122,12 @@ module ActiveRecord
         end
 
         attributes_collection.each do |attributes|
+          if attributes.class.name == 'ActionController::Parameters'
+            attributes = attributes.to_unsafe_h
+          elsif !attributes.is_a?(Hash) && !attributes.is_a?(Array)
+            raise ArgumentError, "ActionController::Parameters or Hash or Array expected, got #{attributes.class.name} (#{attributes.inspect})"
+          end
+          
           attributes = attributes.with_indifferent_access
 
           if attributes['id'].blank?

data/lib/protected_attributes/version.rb

@@ -1,3 +1,3 @@
 module ProtectedAttributes
-  VERSION = "1.4.0"
+  VERSION = "1.8.1".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: protected_attributes_continued
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.8.1
 platform: ruby
 authors:
 - Weston Ganger
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-12-28 00:00:00.000000000 Z
+date: 2021-03-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -66,20 +66,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
-- !ruby/object:Gem::Dependency
-  name: sqlite3
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +108,7 @@ files:
 - lib/active_model/mass_assignment_security/permission_set.rb
 - lib/active_model/mass_assignment_security/sanitizer.rb
 - lib/active_record/mass_assignment_security.rb
+- lib/active_record/mass_assignment_security/association_relation.rb
 - lib/active_record/mass_assignment_security/associations.rb
 - lib/active_record/mass_assignment_security/attribute_assignment.rb
 - lib/active_record/mass_assignment_security/core.rb
@@ -154,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Protect attributes from mass assignment in Active Record models