remembering_strong_parameters 0.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,63 @@
+= Strong Parameters
+
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+
+    class PeopleController < ActionController::Base
+      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+      # without an explicit permit step.
+      def create
+        Person.create(params[:person])
+      end
+
+      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by
+      # ActionController::Base and turned into that 400 Bad Request reply.
+      def update
+        redirect_to current_account.people.find(params[:id]).tap { |person|
+          person.update_attributes!(person_params)
+        }
+      end
+
+      private
+        # Using a private method to encapsulate the permissible parameters is just a good pattern
+        # since you'll be able to reuse the same permit list between create and update. Also, you
+        # can specialize this method with per-user checking of permissible attributes.
+        def person_params
+          params.require(:person).permit(:name, :age)
+        end
+    end
+
+You can also use permit on nested parameters, like:
+
+    params.permit(:name, friends: [ :name, { family: [ :name ] }])
+
+Thanks to Nick Kallen for the permit idea!
+
+You can also used strengthen to set permit and require together:
+
+    params.strengthen(:person => {:name => :require, :age => :permit})
+
+== Installation
+
+In Gemfile:
+
+    gem 'remembering_strong_parameters'
+
+and then run `bundle`. To activate the strong parameters, you need to include this module in
+every model you want protected.
+
+    class Post < ActiveRecord::Base
+      include ActiveModel::ForbiddenAttributesProtection
+    end
+
+If you want to now disable the default whitelisting that occurs in later versions of Rails, change the +config.active_record.whitelist_attributes+ property in your +config/application.rb+:
+
+    config.active_record.whitelist_attributes = false
+
+This will allow you to remove / not have to use +attr_accessible+ and do mass assignment inside your code and tests.
+
+== Compatibility
+
+This plugin is only fully compatible with Rails versions 3.0, 3.1 and 3.2 but not 4.0+, as it is part of Rails Core in 4.0.

data/Rakefile

@@ -0,0 +1,28 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+  require 'bundler/gem_tasks'
+rescue LoadError
+  raise 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'RememberingStrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task :default => :test

data/lib/action_controller/parameters.rb

@@ -0,0 +1,291 @@
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    
+    REQUIRED_FLAGS = [:required, :require]
+    PERMITTED_FLAGS = [:permitted, :permit] + REQUIRED_FLAGS
+    
+    def strengthened?
+      @strengthened
+    end
+    alias :permitted? :strengthened?
+    
+
+    def initialize(attributes = nil)
+      super(attributes)
+    end
+
+    def permit!
+      replace to_check
+      @strengthened = true
+      each_pair do |key, value|
+        convert_hashes_to_parameters(key, value)
+        self[key].permit! if self[key].respond_to? :permit!
+      end
+      
+      self
+    end
+    
+    def strengthen(filter = {})
+      return unless filter.kind_of? Hash
+      
+      filter = filter.with_indifferent_access
+      
+      if keys_all_numbers?
+        strengthen_numbered_hash_as_array(filter)
+      else
+        strengthen_hash(filter)
+      end
+       
+    end
+    
+    def require(key)
+      strengthen(key => REQUIRED_FLAGS.first)
+      to_check[key].presence
+    end
+
+    def permit(*filters)
+      strengthen(hash_from(filters, PERMITTED_FLAGS.first))
+    end
+    
+    def original
+      to_check
+    end
+    
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError, IndexError
+      raise ActionController::ParameterMissing.new(key)
+    end
+
+    def slice(*keys)
+      self.class.new(super).tap do |new_instance|
+        copy_instance_variables_to new_instance
+      end
+    end
+
+    def dup
+      self.class.new(self).tap do |duplicate|
+        duplicate.default = default
+        copy_instance_variables_to duplicate
+      end
+    end
+    
+    def check_required(filter)
+      if filter.kind_of? Hash
+        filter.each do |key, value|
+          flag_error_if_abscent(key) if required_flag?(value) or value.kind_of? Hash
+          to_check[key].check_required(value) if value.respond_to? :check_required and to_check.has_key? key
+        end
+      end
+      unless missing_required_fields.empty?
+        raise ActionController::ParameterMissing.new("'#{missing_required_fields.join("', '")}' required by #{filter}")
+      end
+    end 
+
+    protected
+      def convert_value(value)
+        if value.class == Hash
+          self.class.new_from_hash_copying_default(value)
+        elsif value.is_a?(Array)
+          StrongArray.new(value).replace(value.map { |e| convert_value(e) })
+        else
+          value
+        end
+      end
+      
+      def each_element(object)
+        if object.is_a?(Array)
+          object = StrongArray.new(object)
+          object.map { |el| yield el }.compact
+        # fields_for on an array of records uses numeric hash keys
+        elsif object.is_a?(Hash) && object.keys.all? { |k| k =~ /\A-?\d+\z/ }
+          hash = object.class.new
+          object.each { |k,v| hash[k] = yield v }
+          hash
+        else
+          yield object
+        end
+      end
+      
+      def been_checked
+        @been_checked ||= self.class.new
+      end
+
+      def to_check
+        @to_check ||= clone
+      end     
+
+    private
+      def hash_from(array, value)
+        array = [array] unless array.kind_of? Array
+        array.collect! do |a| 
+          if a.kind_of?(Hash)
+            key = a.keys.first
+            [key, hash_from(a[key], value)]
+          else
+            [a, value]
+          end  
+        end
+        Hash[array]
+      end
+      
+      def keys_all_numbers?
+        /^[\-\d]+$/ =~ to_check.keys.join
+      end
+
+      def strengthen_numbered_hash_as_array(filter = {})
+        strong_array = StrongArray.new(to_check.values)
+        Hash[[to_check.keys.collect{|k| k.to_sym}, strong_array.strengthen(filter)].transpose]      
+      end
+
+      def strengthen_hash(filter = {})
+        check_required(filter)
+
+        to_check.each do |key, value|
+          multiparameterless_key = key.gsub(/\(\d+[fi]?\)$/, "")
+
+          if filter[multiparameterless_key]
+            if value.respond_to?(:strengthen)
+              stengthened_value = value.strengthen(filter[multiparameterless_key])
+              been_checked[key] = stengthened_value if stengthened_value
+            else
+              check_key(key) if permitted_flag?(filter[multiparameterless_key])
+            end
+          end
+        end
+
+        @strengthened = true
+
+        replace been_checked
+      end
+      
+      
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+      
+      def missing_required_fields
+        @missing_required_fields ||= []
+      end
+
+      def check_key(key)
+        check_matching_key(key)
+        check_matching_multi_parameter_keys(key)
+      end
+
+      def check_matching_key(key)
+        been_checked[key] = to_check[key] if to_check.has_key?(key)
+      end
+
+      def check_matching_multi_parameter_keys(key)
+        to_check.keys.grep(/\A#{Regexp.escape(key.to_s)}\(\d+[fi]?\)\z/).each { |key| been_checked[key] = to_check[key] }
+      end
+      
+      def copy_instance_variables_to(other_instance)
+        other_instance.instance_variable_set :@to_check, @to_check
+        other_instance.instance_variable_set :@been_checked, @been_checked
+        other_instance.instance_variable_set :@strengthened, @strengthened
+      end
+      
+      def flag_error_if_abscent(key)
+        if !to_check.has_key? key
+          missing_required_fields << key 
+        elsif to_check[key].kind_of? Hash and to_check[key].empty?
+          missing_required_fields << key
+        end
+      end
+
+      def required_flag?(value)
+        value.respond_to? :to_sym and REQUIRED_FLAGS.include?(value.to_sym)
+      end
+      
+      def permitted_flag?(value)
+        value.respond_to? :to_sym and PERMITTED_FLAGS.include?(value.to_sym)
+      end
+      
+  end
+
+  module RememberingStrongParameters
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+        render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
+      end
+    end
+
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+  
+  class StrongArray < Array
+    
+    def strengthen(filter = {})
+      original.each do |element|
+        case element
+        when Hash
+          element = ActionController::Parameters.new element
+        when Array
+          element = self.class.new element  
+        end
+        
+        if element.respond_to? :strengthen
+          been_checked << element.strengthen(filter)
+        else
+          been_checked << element if Parameters::PERMITTED_FLAGS.include?(filter)
+        end
+      end
+
+      @strengthened = true
+      been_checked
+    end
+    
+    def been_checked
+      @been_checked ||= self.class.new
+    end
+    
+    def original
+      @original ||= self.clone
+    end
+    
+    def strengthened?
+      @strengthened
+    end
+    alias :permitted? :strengthened?
+    
+    
+    def check_required(filter = {})
+      each{|e| e.check_required(filter) if e.respond_to? :check_required}
+    end
+
+  end
+end
+
+ActionController::Base.send :include, ActionController::RememberingStrongParameters

data/lib/active_model/forbidden_attributes_protection.rb

@@ -0,0 +1,17 @@
+module ActiveModel
+  class ForbiddenAttributes < StandardError
+  end
+
+  module ForbiddenAttributesProtection
+    def sanitize_for_mass_assignment(*options)
+      new_attributes = options.first
+      if !new_attributes.respond_to?(:strengthened?) || new_attributes.strengthened?
+        super
+      else
+        raise ActiveModel::ForbiddenAttributes
+      end
+    end
+  end
+end
+
+ActiveModel.autoload :ForbiddenAttributesProtection

data/lib/remembering_strong_parameters/version.rb

@@ -0,0 +1,3 @@
+module RememberingStrongParameters
+  VERSION = "0.0.1"
+end

data/lib/remembering_strong_parameters.rb

@@ -0,0 +1,2 @@
+require 'action_controller/parameters'
+require 'active_model/forbidden_attributes_protection'

data/test/action_controller_required_params_test.rb

@@ -0,0 +1,52 @@
+require 'test_helper'
+
+class BooksController < ActionController::Base
+  def create
+    params.require(:book).require(:name)
+    head :ok
+  end
+  
+  def create_with_chained_require
+    params.strengthen(:hat => :require).strengthen(:book => {:name => :require})
+    head :ok
+  end
+end
+
+class ActionControllerRequiredParamsTest < ActionController::TestCase
+  tests BooksController
+
+  test "missing required parameters will raise exception" do
+    post :create, { :magazine => { :name => "Mjallo!" } }
+    assert_response :bad_request
+  end
+  
+  test "missing second lavel required parameters will raise exception" do
+    post :create, { :book => { :title => "Mjallo!" } }
+    assert_response :bad_request
+  end
+  
+  test "missing required parameters will raise exception when require chained" do
+    post :create_with_chained_require, { :magazine => { :name => "Mjallo!" }, :hat => 'bowler' }
+    assert_response :bad_request
+
+    post :create_with_chained_require, { :book => { :title => "Mjallo!" }, :hat => 'bowler' }
+    assert_response :bad_request
+    
+    post :create_with_chained_require, { :book => { :name => "Mjallo!" } }
+    assert_response :bad_request
+  end
+
+  test "required parameters that are present will not raise" do
+    post :create, { :book => { :name => "Mjallo!" } }
+    assert_response :ok
+    
+    post :create_with_chained_require, { :book => { :name => "Mjallo!" }, :hat => 'bowler' }
+    assert_response :ok
+  end
+
+  test "missing parameters will be mentioned in the return" do
+    post :create, { :magazine => { :name => "Mjallo!" } }
+    assert_match "Required parameter missing: 'book'", response.body
+  end
+  
+end