protected_attributes_continued 1.6.0 → 1.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b10566280e992ec0bc867ca4d2c0b52f29c9e7b98aa197f523bc7e8930634197
-  data.tar.gz: b98a820d98f4828e5cd9a94ee96d8072112548b964576cdfab74a73c3660daa1
+  metadata.gz: 86d47e2aa9219271973c37cb944a3b5722c1d9667718eee090fbf3fe4df2c1de
+  data.tar.gz: c548ba06b3f2f884b2e6ec4e7ef8252755af23c837c2394d9212a9858e8334e9
 SHA512:
-  metadata.gz: a57bc937ec7efe500d594ffdf3200b51265c7ff0e1dd14e5188d43a0495840b55728168585da2cc5bba5f1b4fb8cf769e83391eeca6118089251ce7b31012974
-  data.tar.gz: e0933854f707e6a810103bd49f3001dd3eecceeb4c08cbca3c69b0c5d7d3758884026c7da594833b3a3eb957dd8a372ff8e68e442680485e0b35388b68aff046
+  metadata.gz: 74a4ee291ffbd2be19f45ddbee0bdd1b2b489bee22a4298399f814e140094551846bbf50cd4ac481c0ded209f8a80fa0cffb8d1c75c9d73c471d2eae00a133f2
+  data.tar.gz: c86f600a36c43204c193fd10558f7808857f578c4edbe3cf7af6425be7c7ba7ccc41c65c113305404f8dc18a90576550e66e605cc32185865f0642bd56053d8c

data/README.md

@@ -1,9 +1,9 @@
 # Protected Attributes Continued
 <a href="https://badge.fury.io/rb/protected_attributes_continued" target="_blank"><img height="21" style='border:0px;height:21px;' border='0' src="https://badge.fury.io/rb/protected_attributes_continued.svg" alt="Gem Version"></a>
-<a href='https://travis-ci.com/westonganger/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://api.travis-ci.org/westonganger/protected_attributes_continued.svg?branch=master' border='0' alt='Build Status' /></a>
+<a href='https://github.com/westonganger/protected_attributes_continued/actions' target='_blank'><img src="https://github.com/westonganger/protected_attributes_continued/workflows/Tests/badge.svg" style="max-width:100%;" height='21' style='border:0px;height:21px;' border='0' alt="CI Status"></a>
 <a href='https://rubygems.org/gems/protected_attributes_continued' target='_blank'><img height='21' style='border:0px;height:21px;' src='https://ruby-gem-downloads-badge.herokuapp.com/protected_attributes_continued?label=rubygems&type=total&total_label=downloads&color=brightgreen' border='0' alt='RubyGems Downloads' /></a>
 
-> This is the community continued version of `protected_attributes` for Rails 5+. I recommend you only use it to support legacy portions of your application that you do not want to upgrade. The Rails team dropped this feature and switched to `strong_parameters` because of security issues. However some applications simply cannot be upgraded or security like this is a non-issue. To continue supporting this feature going forward lets continue the work here.
+> This is the community continued version of [`protected_attributes`](https://github.com/rails/protected_attributes) for Rails 5+. The Rails team dropped this feature and switched to `strong_parameters`. However some applications simply cannot be upgraded or the reduced granularity in params management is a non-issue. To continue supporting this feature going forward we continue the work here.
 
 Protect attributes from mass-assignment in Active Record models. This gem adds the class methods `attr_accessible` and `attr_protected` to declare white or black lists of attributes.
 
@@ -98,7 +98,9 @@ Any protected attributes violation raises `ActiveModel::MassAssignmentSecurity::
 
 ## Contributing
 
-We use the `appraisal` gem for testing multiple versions of `Rails`. Please use the following steps to test using `appraisal`.
+For quicker feedback during gem development or debugging feel free to use the provided `rake console` task. It is defined within the [`Rakefile`](./Rakefile).
+
+We test multiple versions of `Rails` using the `appraisal` gem. Please use the following steps to test using `appraisal`.
 
 1. `bundle exec appraisal install`
 2. `bundle exec appraisal rake test`
@@ -107,7 +109,7 @@ We use the `appraisal` gem for testing multiple versions of `Rails`. Please use
 
 Created & Maintained by [Weston Ganger](https://westonganger.com) - [@westonganger](https://github.com/westonganger)
 
-Originally forked from the dead/unmaintained `protected_attributes` gem by the Rails team.
+Originally forked from the dead/unmaintained [`protected_attributes`](https://github.com/rails/protected_attributes) gem by the Rails team.
 
 ## A Simple and Similar strong_params Alternative
 
@@ -116,9 +118,24 @@ While I do utilize this gem in some legacy projects. The latest approach I have
 ```ruby
 ### Model
 class Post < ActiveRecord::Base
+  has_many :comments
+
+  accepts_nested_attributes_for :comments, allow_destroy: true
+  
   def self.strong_params(params)
-    params.permit(:post).permit(:name, :content, :published_at)
+    params.permit(:post).permit(*PERMITTED_ATTRIBUTES)
   end
+  
+  PERMITTED_PARAMETERS = [
+    :id,
+    :name,
+    :content,
+    :published_at,
+    {
+      comments_attributes: Comment::PERMITTED_PARAMETERS,
+    }
+  ].freeze
+  
 end
 
 ### Controller

data/lib/active_record/mass_assignment_security.rb

@@ -7,6 +7,7 @@ require "active_record/mass_assignment_security/nested_attributes"
 require "active_record/mass_assignment_security/persistence"
 require "active_record/mass_assignment_security/reflection"
 require "active_record/mass_assignment_security/relation"
+require "active_record/mass_assignment_security/association_relation"
 require "active_record/mass_assignment_security/validations"
 require "active_record/mass_assignment_security/associations"
 require "active_record/mass_assignment_security/inheritance"

data/lib/active_record/mass_assignment_security/association_relation.rb

@@ -0,0 +1,45 @@
+module ActiveRecord
+  class AssociationRelation
+    undef :new
+    undef :create
+    undef :create!
+
+    def build(attributes = nil, options = {}, &block)
+      block = protected_attributes_scope_block('new', block)
+      scoping { @association.build(attributes, options, &block) }
+    end
+    alias new build
+
+    def create(attributes = nil, options = {}, &block)
+      block = protected_attributes_scope_block('create', block)
+      scoping { @association.create(attributes, options, &block) }
+    end
+
+    def create!(attributes = nil, options = {}, &block)
+      block = protected_attributes_scope_block('create!', block)
+      scoping { @association.create!(attributes, options, &block) }
+    end
+
+    private
+
+    if ActiveRecord.gem_version < Gem::Version.new('6.0')
+
+      def protected_attributes_scope_block(_label, block)
+        block
+      end
+
+    elsif ActiveRecord.gem_version < Gem::Version.new('6.1')
+
+      def protected_attributes_scope_block(label, block)
+        _deprecated_scope_block(label, &block)
+      end
+
+    else
+
+      def protected_attributes_scope_block(_label, block)
+        current_scope_restoring_block(&block)
+      end
+
+    end
+  end
+end

data/lib/active_record/mass_assignment_security/associations.rb

@@ -55,6 +55,18 @@ module ActiveRecord
         end
       end
       private :create_record
+
+      if ActiveRecord.version >= Gem::Version.new("6.0.4") && ActiveRecord.version < Gem::Version.new("6.1")
+        undef :build_record
+
+        def build_record(attributes, options)
+          previous = klass.current_scope(true) if block_given?
+          super
+        ensure
+          klass.current_scope = previous if previous
+        end
+        private :build_record
+      end
     end
 
     class CollectionProxy
@@ -92,7 +104,23 @@ module ActiveRecord
     end
 
     class HasManyThroughAssociation
-      if ActiveRecord.version >= Gem::Version.new('5.2.3')
+      if ActiveRecord.version >= Gem::Version.new('6.1')
+        undef :build_through_record
+        def build_through_record(record)
+          @through_records[record] ||= begin
+            ensure_mutable
+
+            attributes = through_scope_attributes
+            attributes[source_reflection.name] = record
+            attributes[source_reflection.foreign_type] = options[:source_type] if options[:source_type]
+
+            # Pass in `without_protection: true` here because `options_for_through_record`
+            # was removed in https://github.com/rails/rails/pull/35799
+            through_association.build(attributes, without_protection: true)
+          end
+        end
+        private :build_through_record
+      elsif ActiveRecord.version >= Gem::Version.new('5.2.3')
         undef :build_through_record
         def build_through_record(record)
           @through_records[record.object_id] ||= begin

data/lib/active_record/mass_assignment_security/attribute_assignment.rb

@@ -12,9 +12,17 @@ module ActiveRecord
 
         # The primary key and inheritance column can never be set by mass-assignment for security reasons.
         def attributes_protected_by_default
-          default = [ primary_key, inheritance_column ]
-          default << 'id' unless primary_key.eql? 'id'
-          default
+          begin
+            default = [primary_key, inheritance_column]
+
+            if !primary_key.eql?('id')
+              default << 'id'
+            end
+          rescue ActiveRecord::NoDatabaseError
+            default = []
+          end
+
+          return default
         end
       end
 

data/lib/protected_attributes/version.rb

@@ -1,3 +1,3 @@
 module ProtectedAttributes
-  VERSION = "1.6.0".freeze
+  VERSION = "1.8.2".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: protected_attributes_continued
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.8.2
 platform: ruby
 authors:
 - Weston Ganger
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-01 00:00:00.000000000 Z
+date: 2021-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -66,20 +66,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
-- !ruby/object:Gem::Dependency
-  name: sqlite3
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +108,7 @@ files:
 - lib/active_model/mass_assignment_security/permission_set.rb
 - lib/active_model/mass_assignment_security/sanitizer.rb
 - lib/active_record/mass_assignment_security.rb
+- lib/active_record/mass_assignment_security/association_relation.rb
 - lib/active_record/mass_assignment_security/associations.rb
 - lib/active_record/mass_assignment_security/attribute_assignment.rb
 - lib/active_record/mass_assignment_security/core.rb
@@ -154,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Protect attributes from mass assignment in Active Record models