RubyGems - rest_rails - Versions diffs - 0.8.0 → 0.9.0 - Mend

rest_rails 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/README.md +42 -15
data/app/controllers/rest_rails/data_controller.rb +10 -16
data/app/helpers/rest_rails/application_helper.rb +15 -2
data/lib/generators/rest_rails/templates/rest_rails.rb +12 -0
data/lib/rest_rails/version.rb +1 -1
data/lib/rest_rails.rb +1 -0
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b126ebf0d0ee509d040b57b6ff35dd7bb3ab837c09e499159f369a8d56df21ee
-  data.tar.gz: 91cbf7f438cfa373ba2c9d61f2d1f44f8e3eda84da4244dae1da01e384d898e7
+  metadata.gz: 652e20dd610f1f6647f5d4dadac3d16a6d782bc0dc9765993d8bd064eb571e4e
+  data.tar.gz: 4fcfb8bef731b3e1067f033d1d62eee2f31478e7f737673cc1100d222f491a69
 SHA512:
-  metadata.gz: e6ca726a3603a6ed9ce3ceec63379e266a64c993677c063c9c693940e95d08105b311a9becfdc4380f12ad411e29088f1d7b58462afa0bc3810be8b29ae99483
-  data.tar.gz: dc96c4175867bfc18c1fe059421e0613ee3ab0145ba7910953e62fe5d0ce8595096928ee869d448473ee70487f76679564298c45248b0d0ca1697bf9df09aa9c
+  metadata.gz: 8427c35cfdf814c694802321f3d4b8f808f38ba8cd1b92957cc70102d1c4b56331237688213d2348fbed2c712667162091b28a558e17fee28f103b02efeeb6e9
+  data.tar.gz: 2740b7604869ed36bf0fc594e385412b33c5bb4e3b4517cd69daba52f6fb40dc4fa63acc27409dd2b4f5fa30034978abb774fdaa922087aa01f8aa4c85112dfb

data/README.md CHANGED Viewed

@@ -3,10 +3,33 @@ Rails Plugin for quick intelligent API Creation by Tuitu Technology Solutions
 ## How To Start
+### Step 1: Basic Setup
 1. Add To Gemfile: `gem 'rest_rails'`
 2. Bundle Install: `bundle install`
 3. Install RestRails:  `rails g rest_rails:install`
-4. Modify initializer and/or mounted route.
+### Step 2: Change Mounted Path (optional)
+1. Make sure the line `mount RestRails::Engine => '/api/v1', as: 'rest'` is at the *bottom* of your routes. (This will prevent RestRails from taking over any custom API routing you might do)
+2. Change '/api/v1' to whatever naming structure you would like to prepend REST API routes.
+### Step 3: Whitelist Permitted Columns (optional)
+1. For better security, it is strongly recommended to setup the initializer to whitelist your columns.
+Here is an example on how to whitelist columns for a sample database w/ three tables:  articles, comments, users.
+In this example, we only want the API to allow REST API endpoints for articles and comments, but not users.
+*Note: table_names are keys. Acceptable values include: (:all, :none, or an Array of column_names)*
+```
+RestRails.configure do |config|
+  # ...
+  config.permit = {
+    articles: :all,
+    users: :none,
+    comments: [:content]
+  }
+end
+```
 ## The Basics
@@ -52,9 +75,9 @@ destroy      | DELETE | `/api/v1/comments/:id`                       | destroy a
 fetch_column | GET    | `/api/v1/comments/:id/article_id`            | fetch article_id of comment
 fetch_column | GET    | `/api/v1/comments/:id/content`               | fetch content of comment
-# HOW TO USE THE REST API
+# Using the REST API
-## INDEX:  GET '/table_name'
+## Index
 GET '/articles' will return a JSON response as follows:
 ```
 {
@@ -110,7 +133,7 @@ article\[description\]\[\] | *Array*   | article\[description\]\[\]=SomeDescript
 article[content]           | *String*  | article[content]=Some+Content | Will match articles with contents same as the value.
 article\[content\]\[\]     | *Array*   | article\[content\]\[\]=SomeContent&article\[content\]\[\]=SomeOtherContent | Will match articles with content of 'SomeContent' OR 'SomeOtherContent'
-## SHOW:  GET '/table_name/:id'
+## Show
 GET '/articles/1' will return a JSON response as follows:
 ```
 {
@@ -139,7 +162,7 @@ GET '/articles/1' will return a JSON response as follows:
 }
 ```
-## CREATE:  POST '/table_name'
+## Create
 The create paths enforce Rails **strong params**. So only properly structured requests will be allowed.
 POST '/articles' can accept a payload in the following structure:
@@ -185,7 +208,7 @@ If successful (and passes your ActiveRecord validations), the response will be a
   }
 ```
-## UPDATE:  PATCH '/table_name/:id'
+## Update
 The update paths enforce Rails **strong params**. So only properly structured requests will be allowed.
 PATCH '/articles/1' can accept a payload in the following structure (with one or more columns to be updated):
@@ -230,7 +253,7 @@ If successful (and passes your ActiveRecord validations), the response will be a
   }
 ```
-## DESTROY:  DELETE '/table_name'
+## Destroy
 DELETE '/articles/1' only needs the ID number.
@@ -245,7 +268,7 @@ If successful (and passes your ActiveRecord validations), the response will be a
 **Note:**  If you are using activestorage, the destroy process will also automatically destroy attachments from your bucket.
-## FETCH_COLUMN:  GET '/table_name/:id/:column_name'
+## Fetch Column
 GET '/articles/1/title'
@@ -290,19 +313,21 @@ And for has_many_attached:
 }
 ```
-# ACTIVESTORAGE ATTACHMENTS
+# Activestorage Attachments
 For activestorage attachment support, the following two routes are added to models using activestorage:
 `/table_name/:id/attach/:attachment_name` and `/table_name/:id/unattach/:attachment_id`
-## ATTACH:  POST '/table_name/:id/attach/:attachment_name'
+## Attach
 The routes generated for the rest API are based on the naming provided in your ActiveRecord model when using activestorage.
 - Supports both has_one_attached & has_many_attached.
-In the articles example above, this would be: "/api/v1/articles/attach/feature_image"
+In the articles example above, this would be:
+POST  "/api/v1/articles/attach/feature_image"
 The payload structure in this case needs only to be:
 ```
@@ -320,7 +345,9 @@ If successful, the response will be as follows:
 }
 ```
-## UNATTACH:  DELETE '/table_name/:id/unattach/:attachment_id'
+## Unattach
+DELETE '/table_name/:id/unattach/:attachment_id'
 *\* Note, Response will fail if the attachment_id provided does not belong to the object.*
@@ -334,10 +361,10 @@ If successful, the response will be as follows:
 ```
 ## Contribution
 Here are some features in need of development.
-- Add way to "protect columns" (i.e. exclude columns from permitted params for model's update/create API points).
 - Support different popular attachment gems.
 - Add Locale fetching based on page-routes.
+- Add standarized testing rspecs.
+- Add support for switching activestorage sources
+- Add support to allow user to provide any before_actions wanted.

data/app/controllers/rest_rails/data_controller.rb CHANGED Viewed

@@ -3,7 +3,8 @@ module RestRails
   class DataController < ::ApplicationController
     include ApplicationHelper
     skip_before_action :verify_authenticity_token
-    before_action :set_model, only: [:index, :show, :create, :update, :destroy, :fetch_column, :attach, :unattach]
+    before_action :verify_table_permissions!, only: [:create, :update, :destroy, :attach, :unattach]
+    before_action :set_model
     before_action :set_object, only: [:show, :update, :destroy, :fetch_column, :attach, :unattach]
     def index
@@ -36,7 +37,7 @@ module RestRails
     end
     def create
-      @object = @empty_obj(model_params)
+      @object = @model.new(model_params)
       attach_files
       if @object.save
@@ -99,6 +100,7 @@ module RestRails
       # Take the tablename, and make the Model of the relative table_name
       @model = model_for(params[:table_name])
       @empty_obj = @model.new
+      p @empty_obj
     end
     def set_object
@@ -112,8 +114,6 @@ module RestRails
       return {} if params[mn].blank?
       # MAKE LIST OF THINGS TO PERMIT:
       arr = @model.attribute_names.map(&:to_sym)
-      arr.delete(:created_at)
-      arr.delete(:updated_at)
       # allow arrays for all columns for flexible where queries
       arr += arr.map do |attr|
@@ -159,25 +159,19 @@ module RestRails
     end
     def permitted_columns
-      @columns = @model.attribute_names.map(&:to_sym)
+      p @empty_obj
+      @columns = columns_for(@empty_obj)
       @columns.delete(:id)
       @columns.delete(:created_at)
       @columns.delete(:updated_at)
-      @columns.map! do |attr|
-        new_val = permit_array?(attr) ? {attr=>[]} : attr
-        new_val
-      end
-      permitted_attachments if RestRails.active_storage_attachments
-    end
-    def permitted_attachments
-      file_set = attachments_for(@empty_obj)
-      file_set += file_set.select{|x| permit_array?(x)}.map do |attr|
+      @columns += @columns.select{|x| permit_array?(x)}.map do |attr|
         {attr=>[]}
       end
+    end
-      @columns = @columns + file_set
+    def verify_table_permissions!
+      verify_permitted!(params[:table_name].to_sym)
     end
   end
 end

data/app/helpers/rest_rails/application_helper.rb CHANGED Viewed

@@ -58,8 +58,13 @@ module RestRails
     end
     def columns_for(ar_object)
-      cols = ar_object.class.attribute_names.map(&:to_sym)
-      cols += attachments_for(ar_object)
+      table = ar_object.class.table_name.to_sym
+      cols  = ar_object.class.column_names.map(&:to_sym)
+      cols += attachments_for(ar_object) if RestRails.active_storage_attachments
+      return cols if RestRails.permit == :all || RestRails.permit[table] == :all
+      cols.select{|x| RestRails.permit[table].include?(x) }
     end
     # ==========================================================================
@@ -76,5 +81,13 @@ module RestRails
       # Take the tablename, and make the Model of the relative table_name
       table_name.classify.constantize # "users" => User
     end
+    def verify_permitted!(table)
+      if [:none, nil].include?(RestRails.permit[table])
+        raise RestRails::Error.new "NOT PERMITTED. Must add table to whitelisted params."
+      elsif !RestRails.permit.is_a?(Hash) && (RestRails.permit != :all)
+        raise RestRails::Error.new "RestRails initializer permit is not valid!"
+      end
+    end
   end
 end

data/lib/generators/rest_rails/templates/rest_rails.rb CHANGED Viewed

@@ -4,6 +4,18 @@ RestRails.configure do |config|
   # set debug to true if you want to see loud errors in the server logs.
   config.debug = false
+  # ===============================================================
+  #                       IMPORTANT!
+  #    Setup whitelist permissions for what db columns can be
+  #      modified by the REST API
+  # ===============================================================
+  # config.permit = {
+  #  users: :none,
+  #  table_name: :all,
+  #  other_table: [:col1, :col2, :col3]
+  # }
+  # ===============================================================
   # if you are using devise or another authentication system and want to
   # enforce the before_action `authenticate_user!`
   #

data/lib/rest_rails/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module RestRails
-  VERSION = '0.8.0'
+  VERSION = '0.9.0'
 end

data/lib/rest_rails.rb CHANGED Viewed

@@ -3,6 +3,7 @@ require "rest_rails/error"
 module RestRails
   mattr_accessor :debug, default: false
+  mattr_accessor :permit, default: :all
   mattr_accessor :authenticatable, default: false
   mattr_accessor :active_storage_attachments, default: true
   mattr_accessor :production_domain, default: nil

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rest_rails
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Sergio Rivas