restful_json 3.0.0

data/README.md

@@ -0,0 +1,299 @@
+restful_json
+=====
+
+Develop declarative, featureful JSON RESTful-ish service controllers to use with modern Javascript MVC frameworks like AngularJS, Ember, etc. with much less code.
+
+Should work with Rails 3.1+ and Rails 4. Feel free to submit issues and/or do a pull requests if you run into anything.
+
+Uses Adam Hawkin's [permitter][permitter] code which uses [strong_parameters][strong_parameters] and encourages use of [active_model_serializers][active_model_serializers].
+
+### Installation
+
+In your Rails app's `Gemfile`, add:
+
+    gem 'restful_json'
+
+and:
+
+    bundle install
+
+You need to setup [cancan][cancan]. Here are the basics:
+
+In your `app/controllers/application_controller.rb` or in your service controllers, make sure `current_user` is set:
+
+    class ApplicationController < ActionController::Base
+      protect_from_forgery
+
+      def current_user
+        User.new
+      end
+    end
+
+You could do that better by setting up some real authentication with [Authlogic][authlogic], [Devise][devise], or whatever cancan will support.
+
+In `app/models/ability.rb`, setup a basic cancan ability. Just for testing we'll allow everything:
+
+    class Ability
+      include CanCan::Ability
+
+      def initialize(user)
+        can :manage, :all
+      end
+    end
+
+### Responders
+
+If you plan to use responders outside of json with restful_json, you may want to formally install it, for flash messages, etc.:
+
+    gem install responders
+
+Add this to your Gemfile and bundle install:
+
+    gem 'responders'
+
+And do:
+
+    rails generate responders:install
+
+### Strong Parameters
+
+If you want to now disable the default whitelisting that occurs in later versions of Rails, change the config.active_record.whitelist_attributes property in your `config/application.rb`:
+
+    config.active_record.whitelist_attributes = false
+
+This will allow you to remove / not have to use attr_accessible and do mass assignment inside your code and tests. Instead you will put this information into your permitters.
+
+Note that restful_json automatically includes `ActiveModel::ForbiddenAttributesProtection` on all models as will be done in Rails 4.
+
+### Configuration
+
+At the bottom of `config/environment.rb`, you can set config items one at a time like:
+
+    RestfulJson.debug = true
+
+or in bulk like:
+
+    RestfulJson.configure do
+      self.can_filter_by_default_using = [:eq] # default for :using in can_filter_by
+      self.debug = false # to output debugging info during request handling
+      self.filter_split = ',' # delimiter for values in request parameter values
+      self.formats = :json, :html # equivalent to specifying respond_to :json, :html in the controller, and can be overriden in the controller. Note that by default responders gem sets respond_to :html in application_controller.rb.
+      self.number_of_records_in_a_page = 15 # default number of records to return if using the page request function
+      self.predicate_prefix = '!' # delimiter for ARel predicate in the request parameter name
+      self.return_resource = false # if true, will render resource and HTTP 201 for post/create or resource and HTTP 200 for put/update
+    end
+
+#### Advanced Configuration
+
+In the controller, you can set a variety of class attributes with `self.something = ...` in the body of your controller to set model class, variable names, messages, etc. Take a look at the class_attribute definitions in `lib/restful_json/controller.rb`.
+
+### Usage
+
+By using `acts_as_restful_json` you have a configurable generic Rails 3.1+ controller that does the index, show, create, and update and other custom actions easily for you.
+
+Everything is well-declared and concise:
+
+    class FoobarsController < ApplicationController  
+      acts_as_restful_json
+      query_for :index, is: ->(t,q) {q.joins(:apples, :pears).where(apples: {color: 'green'}).where(pears: {color: 'green'})}
+      # args sent to can_filter_by are the request parameter name(s)
+      can_filter_by :foo_id # implies using: [:eq] because RestfulJson.can_filter_by_default_using = [:eq]
+      can_filter_by :foo_date, :bar_date, using: [:lt, :eq, :gt], with_default: Time.now # can specify multiple predicates and optionally a default value
+      can_filter_by :a_request_param_name, with_query: ->(t,q,param_value) {q.joins(:some_assoc).where(:some_assocs_table_name=>{some_attr: param_value})}
+      can_filter_by :and_another, through: [:some_attribute_on_this_model]
+      can_filter_by :one_more, through: [:some_association, :some_attribute_on_some_association_model]
+      can_filter_by :and_one_more, through: [:my_assoc, :my_assocs_assoc, :my_assocs_assocs_assoc, :an_attribute_on_my_assocs_assocs_assoc]
+      supports_functions :count, :uniq, :take, :skip, :page, :page_count
+      order_by {:foo_date => :asc}, :foo_color, {:bar_date => :desc} # an ordered array of hashes, assumes :asc if not a hash
+      respond_to :json, :html # specify if you want more than :json. It dynamically sets model variables with the right names, e.g. @foobar and @foobars.
+    end
+
+`can_filter_by` without an option means you can send in that request param (via routing or directly, just like normal in Rails) and it will use that in the ARel query (safe from SQL injection and only letting you do what you tell it). `:using` means you can use those [ARel][arel] predicates for filtering. For a full list of available ones do:
+
+    rails c
+    Arel::Predications.public_instance_methods.sort
+
+at time of writing these were:
+
+    [:does_not_match, :does_not_match_all, :does_not_match_any, :eq, :eq_all, :eq_any, :gt, :gt_all, :gt_any, :gteq, :gteq_all, :gteq_any, :in, :in_all, :in_any, :lt, :lt_all, :lt_any, :lteq, :lteq_all, :lteq_any, :matches, :matches_all, :matches_any, :not_eq, :not_eq_all, :not_eq_any, :not_in, :not_in_all, :not_in_any]
+
+`supports_functions` lets you do other [ARel][arel] functions. `:uniq`, `:skip`, `:take`, and `:count`.
+
+`can_filter_by` can also specify a `:with_query` to provide a lambda that takes the request parameter in when it is provided by the request.
+
+And `can_filter_by` can also specify a `:through` to provide an easy way to inner join through a bunch models (using ActiveRecord relations) by specifying 0-to-many association names to go "through" to the final argument which is the attribute name on the last model, e.g. the two following are equivalent:
+
+    can_filter_by :a_request_param_name, with_query: ->(t,q,param_value) {q.joins(:some_assoc).where(:some_assocs_table_name=>{some_attr: param_value})}
+    can_filter_by :a_request_param_name, through: [:some_assoc, :some_attr] # much easier, but not as flexible as a lambda
+
+#### Default Filter by Attribute(s)
+
+First, declare in the controller:
+
+    can_filter_by :foo_id
+
+If `RestfulJson.can_filter_by_default_using = [:eq]` as it is by default, then you can now get Foobars with a foo_id of '1':
+
+    http://localhost:3000/foobars?foo_id=1
+
+#### Other Filters by Attribute(s)
+
+First, declare in the controller:
+
+    can_filter_by :seen_on, using: [:gteq, :eq_any]
+
+Get Foobars with seen_on of 2012-08-08 or later using the [ARel][arel] gteq predicate splitting the request param on `predicate_prefix` (configurable), you'd use:
+
+    http://localhost:3000/foobars?seen_on!gteq=2012-08-08
+
+Multiple values are separated by `filter_split` (configurable):
+
+    http://localhost:3000/foobars?seen_on!eq_any=2012-08-08,2012-09-09
+
+#### Unique (DISTINCT)
+
+First, declare in the controller:
+
+    supports_functions :uniq
+
+To return a simple unique view of a model, combine use of an active_model_serializer that returns just the attribute you want along with the uniq param, e.g. to return unique/distinct colors of foobars you'd have a serializer to just return the color and then use:
+
+    http://localhost:3000/foobars?uniq=
+
+#### Count
+
+First, declare in the controller:
+
+    supports_functions :count
+
+This is another filter that can be used with the others, but instead of returning the json objects, it returns their count, which is useful for paging to determine how many results you can page through:
+
+    http://localhost:3000/foobars?count=
+
+#### Paging
+
+In controller make sure these are included:
+
+    supports_functions :page, :page_count
+
+To get the first page of results:
+
+    http://localhost:3000/foobars?page=1
+
+To get the second page of results:
+
+    http://localhost:3000/foobars?page=2
+
+To get the total number of pages of results:
+
+    http://localhost:3000/foobars?page_count=
+
+To set page size at application level:
+
+    RestfulJson.number_of_records_in_a_page = 15
+
+To set page size at controller level:
+
+    self.number_of_records_in_a_page = 15
+
+For a better idea of how this works on the backend, look at [ARel][arel]'s skip and take, or see Variable Paging.
+
+##### Skip and Take (OFFSET and LIMIT)
+
+In controller make sure these are included:
+
+    supports_functions :skip, :take
+
+To skip rows returned, use 'skip'. It is called take, because skip is the [ARel][arel] equivalent of SQL OFFSET:
+
+    http://localhost:3000/foobars?skip=5
+
+To limit the number of rows returned, use 'take'. It is called take, because take is the [ARel][arel] equivalent of SQL LIMIT:
+
+    http://localhost:3000/foobars.json?take=5
+
+##### Variable Paging
+
+Combine skip and take for manual completely customized paging.
+
+Get the first page of 15 results:
+
+    http://localhost:3000/foobars?take=15
+
+Second page of 15 results:
+
+    http://localhost:3000/foobars?skip=15&take=15
+
+Third page of 15 results:
+
+    http://localhost:3000/foobars?skip=30&take=15
+
+First page of 30 results:
+
+    http://localhost:3000/foobars?take=30
+
+Second page of 30 results:
+
+    http://localhost:3000/foobars?skip=30&take=30
+
+Third page of 30 results:
+
+    http://localhost:3000/foobars?skip=60&take=30
+
+##### Custom Queries
+
+To filter the list where the status_code attribute is 'green':
+
+    # t is self.model_class.arel_table and q is self.model_class.scoped
+    query_for :index, is: lambda {|t,q| q.where(:status_code => 'green')}
+
+or use the `->` Ruby 1.9 lambda stab operator. You can also filter out items that have associations that don't have a certain attribute value (or anything else you can think up with [ARel][arel]/[ActiveRecord relations][ar]). To filter the list where the object's apples and pears associations are green:
+
+    # t is self.model_class.arel_table and q is self.model_class.scoped
+    # note: must be no space between -> and parenthesis
+    query_for :index, is: ->(t,q) {
+      q.joins(:apples, :pears)
+      .where(apples: {color: 'green'})
+      .where(pears: {color: 'green'})
+    }
+
+##### Custom Actions
+
+`query_for` also will `alias_method (some action), :index` anything other than `:index`, so you can easily create custom non-RESTful action methods:
+
+    # t is self.model_class.arel_table and q is self.model_class.scoped
+    # note: must be no space between -> and parenthesis in lambda syntax!
+    query_for :some_action, is: ->(t,q) {q.where(:status_code => 'green')}
+
+Note that it is a proc so you can really do whatever you want with it and will have access to other things in the environment or can call another method, etc.
+
+### Routing
+
+Respects regular and nested Rails resourceful routing and controller namespacing, e.g. in `config/routes.rb`:
+
+    MyAwesomeApp::Application.routes.draw do
+      namespace :my_service_controller_module do
+        resources :foobars
+        # why use nested if you only want to provide ways of querying via path
+        match 'bars/:bar_id/foobars(.:format)' => 'foobars#index'
+      end
+    end
+
+### Contributors
+
+* Gary Weaver (https://github.com/garysweaver)
+* Tommy Odom (https://github.com/tpodom)
+
+### License
+
+Copyright (c) 2012 Gary S. Weaver, released under the [MIT license][lic].
+
+[permitter]: http://broadcastingadam.com/2012/07/parameter_authorization_in_rails_apis/
+[cancan]: https://github.com/ryanb/cancan
+[strong_parameters]: https://github.com/rails/strong_parameters
+[active_model_serializers]: https://github.com/josevalim/active_model_serializers
+[authlogic]: https://github.com/binarylogic/authlogic
+[devise]: https://github.com/plataformatec/devise
+[arel]: https://github.com/rails/arel
+[ar]: http://api.rubyonrails.org/classes/ActiveRecord/Relation.html
+[lic]: http://github.com/rubyservices/restful_json/blob/master/LICENSE

data/Rakefile

@@ -0,0 +1,3 @@
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec

data/lib/application_permitter.rb

@@ -0,0 +1,93 @@
+# from Adam Hawkins's gist:
+# https://gist.github.com/3150306
+# http://www.broadcastingadam.com/2012/07/parameter_authorization_in_rails_apis/
+class ApplicationPermitter
+  class PermittedAttribute < Struct.new(:name, :options) ; end
+
+  delegate :authorize!, :to => :ability
+  class_attribute :permitted_attributes
+  self.permitted_attributes = []
+
+  class << self
+    def permit(*args)
+      options = args.extract_options!
+
+      args.each do |name|
+        self.permitted_attributes += [PermittedAttribute.new(name, options)]
+      end
+    end
+
+    def scope(name)
+      with_options :scope => name do |nested|
+        yield nested
+      end
+    end
+  end
+
+  def initialize(params, user, ability = nil)
+    @params, @user, @ability = params, user, ability
+  end
+
+  def permitted_params
+    authorize_params!
+    filtered_params
+  end
+
+  def resource_name
+    self.class.to_s.match(/(.+)Permitter/)[1].underscore.to_sym
+  end
+
+
+private
+
+  def authorize_params!
+    needing_authorization = permitted_attributes.select { |a| a.options[:authorize] }
+
+    needing_authorization.each do |attribute|
+      if attribute.options[:scope]
+        values = Array.wrap(filtered_params[attribute.options[:scope]]).collect do |hash|
+          hash[attribute.name]
+        end.compact
+      else
+        values = Array.wrap filtered_params[attribute.name]
+      end
+
+      klass = (attribute.options[:as].try(:to_s) || attribute.name.to_s.split(/(.+)_ids?/)[1]).classify.constantize
+
+      values.each do |record_id|
+        record = klass.find record_id
+        permission = attribute.options[:authorize].to_sym || :read
+        authorize! permission, record
+      end
+    end
+  end
+
+  def filtered_params
+    scopes = {}
+    unscoped_attributes = []
+
+    permitted_attributes.each do |attribute|
+      if attribute.options[:scope]
+        key = attribute.options[:scope]
+        scopes[key] ||= []
+        scopes[key] << attribute.name
+      else
+        unscoped_attributes << attribute.name
+      end
+    end
+
+    @filtered_params ||= params.require(resource_name).permit(*unscoped_attributes, scopes)
+  end
+
+  def params
+    @params
+  end
+
+  def user
+    @user
+  end
+
+  def ability
+    @ability ||= Ability.new user
+  end
+end

data/lib/restful_json/config.rb

@@ -0,0 +1,27 @@
+module RestfulJson
+  CONTROLLER_OPTIONS = [
+    :can_filter_by_default_using, 
+    :debug,
+    :filter_split,
+    :formats,
+    :number_of_records_in_a_page,
+    :predicate_prefix,
+    :return_resource
+  ]
+  
+  class << self
+    CONTROLLER_OPTIONS.each{|o|attr_accessor o}
+    alias_method :debug?, :debug
+    def configure(&blk); class_eval(&blk); end
+  end
+end
+
+RestfulJson.configure do
+  self.can_filter_by_default_using = [:eq]
+  self.debug = false
+  self.filter_split = ','
+  self.formats = :json, :html
+  self.number_of_records_in_a_page = 15
+  self.predicate_prefix = '!'
+  self.return_resource = false
+end

data/lib/restful_json/controller.rb

@@ -0,0 +1,346 @@
+require 'restful_json/config'
+require 'twinturbo/controller'
+require 'active_model_serializers'
+require 'strong_parameters'
+require 'cancan'
+
+module RestfulJson
+  module Controller
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def acts_as_restful_json(options = {})
+        include ::ActionController::Serialization
+        include ::ActionController::StrongParameters
+        include ::CanCan::ControllerAdditions
+        include ::TwinTurbo::Controller
+        include ActsAsRestfulJson
+      end
+    end
+    
+    module ActsAsRestfulJson
+      extend ActiveSupport::Concern
+
+      NILS = ['NULL','null','nil']
+
+      included do
+        # this can be overriden in the controller via defining respond_to
+        formats = RestfulJson.formats || Mime::EXTENSION_LOOKUP.keys.collect{|m|m.to_sym}
+        respond_to *formats
+
+        # create class attributes for each controller option and set the value to the value in the app configuration
+        class_attribute :model_class, instance_writer: true
+        class_attribute :model_singular_name, instance_writer: true
+        class_attribute :model_plural_name, instance_writer: true
+        class_attribute :param_to_attr_and_arel_predicate, instance_writer: true
+        class_attribute :supported_functions, instance_writer: true
+        class_attribute :ordered_by, instance_writer: true
+        class_attribute :action_to_query, instance_writer: true
+        class_attribute :param_to_query, instance_writer: true
+        class_attribute :param_to_through, instance_writer: true
+
+        # use values from config
+        # debug uses RestfulJson.debug? because until this is done no local debug class attribute exists to check
+        RestfulJson::CONTROLLER_OPTIONS.each do |key|
+          class_attribute key, instance_writer: true
+          self.send("#{key}=".to_sym, RestfulJson.send(key))
+        end
+
+        self.param_to_attr_and_arel_predicate ||= {}
+        self.supported_functions ||= []
+        self.ordered_by ||= []
+        self.action_to_query ||= {}
+        self.param_to_query ||= {}
+        self.param_to_through ||= {}
+      end
+
+      module ClassMethods
+        # A whitelist of filters and definition of filter options related to request parameters.
+        #
+        # If no options are provided or the :using option is provided, defines attributes that are queryable through the operation(s) already defined in can_filter_by_default_using, or can specify attributes:
+        #   can_filter_by :attr_name_1, :attr_name_2 # implied using: [eq] if RestfulJson.can_filter_by_default_using = [:eq] 
+        #   can_filter_by :attr_name_1, :attr_name_2, using: [:eq, :not_eq]
+        #
+        # When :with_query is specified, it will call a supplied lambda. e.g. t is self.model_class.arel_table, q is self.model_class.scoped, and p is params[:my_param_name]:
+        #   can_filter_by :my_param_name, with_query: ->(t,q,p) {...}
+        #
+        # When :through is specified, it will take the array supplied to through as 0 to many model names following by an attribute name. It will follow through
+        # each association until it gets to the attribute to filter by that via ARel joins, e.g. if the model Foobar has an association to :foo, and on the Foo model there is an assocation
+        # to :bar, and you want to filter by bar.name (foobar.foo.bar.name):
+        #  can_filter_by :my_param_name, through: [:foo, :bar, :name]
+        def can_filter_by(*args)
+          options = args.extract_options!
+
+          # :using is the default action if no options are present
+          if options[:using] || options.size == 0
+            predicates = Array.wrap(options[:using] || self.can_filter_by_default_using)
+            predicates.each do |predicate|
+              predicate_sym = predicate.to_sym
+              args.each do |attr|
+                attr_sym = attr.to_sym
+                self.param_to_attr_and_arel_predicate[attr_sym] = [attr_sym, :eq, options] if predicate_sym == :eq
+                self.param_to_attr_and_arel_predicate["#{attr}#{self.predicate_prefix}#{predicate}".to_sym] = [attr_sym, predicate_sym, options]
+              end
+            end
+          end
+
+          if options[:with_query]
+            args.each do |with_query_key|
+              self.param_to_query[with_query_key.to_sym] = options[:with_query]
+            end
+          end
+
+          if options[:through]
+            args.each do |through_key|
+              self.param_to_through[through_key.to_sym] = options[:through]
+            end
+          end
+        end
+
+        # Can specify additional functions in the index, e.g.
+        #   supports_functions :skip, :uniq, :take, :count
+        def supports_functions(*args)
+          options = args.extract_options! # overkill, sorry
+          self.supported_functions += args
+        end
+        
+        # Specify a custom query. If action specified does not have a method, it will alias_method index to create a new action method with that query.
+        #
+        # t is self.model_class.arel_table and q is self.model_class.scoped, e.g.
+        #   query_for :index, is: -> {|t,q| q.where(:status_code => 'green')}
+        def query_for(*args)
+          options = args.extract_options!
+          # TODO: support custom actions to be automaticaly defined
+          args.each do |an_action|
+            if options[:is]
+              self.action_to_query[an_action.to_s] = options[:is]
+            else
+              raise "#{self.class.name} must supply an :is option with query_for #{an_action.inspect}"
+            end
+            unless an_action.to_sym == :index
+              alias_method an_action.to_sym, :index
+            end
+          end
+        end
+
+        # Takes an string, symbol, array, hash to indicate order. If not a hash, assumes is ascending. Is cumulative and order defines order of sorting, e.g:
+        #   #would order by foo_color attribute ascending
+        #   order_by :foo_color
+        # or
+        #   order_by {:foo_date => :asc}, :foo_color, 'foo_name', {:bar_date => :desc}
+        def order_by(args)
+          if args.is_a?(Array)
+            self.ordered_by += args
+          elsif args.is_a?(Hash)
+            self.ordered_by.merge!(args)
+          else
+            raise ArgumentError.new("order_by takes a hash or array of hashes")
+          end
+        end
+      end
+
+      def initialize
+        super
+
+        # if not set, use controller classname
+        qualified_controller_name = self.class.name.chomp('Controller')
+        @model_class = self.model_class || qualified_controller_name.split('::').last.singularize.constantize
+
+        raise "#{self.class.name} failed to initialize. self.model_class was nil in #{self} which shouldn't happen!" if @model_class.nil?
+        raise "#{self.class.name} assumes that #{self.model_class} extends ActiveRecord::Base, but it didn't. Please fix, or remove this constraint." unless @model_class.ancestors.include?(ActiveRecord::Base)
+
+        @model_singular_name = self.model_singular_name || self.model_class.name.underscore
+        @model_plural_name = self.model_plural_name || @model_singular_name.pluralize
+        @model_at_plural_name_sym = "@#{@model_plural_name}".to_sym
+        @model_at_singular_name_sym = "@#{@model_singular_name}".to_sym
+        underscored_modules_and_underscored_plural_model_name = qualified_controller_name.gsub('::','_').underscore
+
+        # This workaround for models that are in a different module than the model only works if the controller's base part of the unqualified name in the plural model name.
+        # If the model name is different than the controller name, you will need to define methods to return the right urls.
+        class_eval "def #{@model_plural_name}_url;#{underscored_modules_and_underscored_plural_model_name}_url;end;def #{@model_singular_name}_url(record);#{underscored_modules_and_underscored_plural_model_name.singularize}_url(record);end"        
+      end
+
+      def convert_request_param_value_for_filtering(attr_sym, value)
+        value && NILS.include?(value) ? nil : value
+      end
+
+      # The controller's index (list) method to list resources.
+      #
+      # Note: this method be alias_method'd by query_for, so it is more than just index.
+      def index
+        t = @model_class.arel_table
+        value = @model_class.scoped # returns ActiveRecord::Relation equivalent to select with no where clause
+        custom_query = self.action_to_query[params[:action].to_s]
+        if custom_query
+          value = custom_query.call(t, value)
+        end
+
+        self.param_to_query.each do |param_name, param_query|
+          if params[param_name]
+            # to_s as safety measure for vulnerabilities similar to CVE-2013-1854
+            value = param_query.call(t, value, params[param_name].to_s)
+          end
+        end
+
+        self.param_to_through.each do |param_name, through_array|
+          if params[param_name]
+            # build query
+            # e.g. SomeModel.scoped.joins({:assoc_name => {:sub_assoc => {:sub_sub_assoc => :sub_sub_sub_assoc}}).where(sub_sub_sub_assoc_model_table_name: {column_name: value})
+            last_model_class = @model_class
+            joins = nil # {:assoc_name => {:sub_assoc => {:sub_sub_assoc => :sub_sub_sub_assoc}}
+            through_array.each do |association_or_attribute|
+              if association_or_attribute == through_array.last
+                # must convert param value to string before possibly using with ARel because of CVE-2013-1854, fixed in: 3.2.13 and 3.1.12 
+                # https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ
+                value = value.joins(joins).where(last_model_class.table_name.to_sym => {association_or_attribute => params[param_name].to_s})
+              else
+                found_classes = last_model_class.reflections.collect {|association_name, reflection| reflection.class_name.constantize if association_name.to_sym == association_or_attribute}.compact
+                if found_classes.size > 0
+                  last_model_class = found_classes[0]
+                else
+                  # bad can_filter_by :through found at runtime
+                  raise "Association #{association_or_attribute.inspect} not found on #{last_model_class}."
+                end
+
+                if joins.nil?
+                  joins = association_or_attribute
+                else
+                  joins = {association_or_attribute => joins}
+                end
+              end
+            end
+          end
+        end
+
+        self.param_to_attr_and_arel_predicate.keys.each do |param_name|
+          options = param_to_attr_and_arel_predicate[param_name][2]
+          param = params[param_name] || options[:with_default]
+          if param.present? && param_to_attr_and_arel_predicate[param_name]
+            attr_sym = param_to_attr_and_arel_predicate[param_name][0]
+            predicate_sym = param_to_attr_and_arel_predicate[param_name][1]
+            if predicate_sym == :eq
+              value = value.where(attr_sym => convert_request_param_value_for_filtering(attr_sym, param))
+            else
+              one_or_more_param = param.split(self.filter_split).collect{|v|convert_request_param_value_for_filtering(attr_sym, v)}
+              value = value.where(t[attr_sym].try(predicate_sym, one_or_more_param))
+            end
+          end
+        end
+
+        if params[:page] && self.supported_functions.include?(:page)
+          page = params[:page].to_i
+          page = 1 if page < 1 # to avoid people using this as a way to get all records unpaged, as that probably isn't the intent?
+          #TODO: to_s is hack to avoid it becoming an Arel::SelectManager for some reason which not sure what to do with
+          value = value.skip((self.number_of_records_in_a_page * (page - 1)).to_s)
+          value = value.take((self.number_of_records_in_a_page).to_s)
+        end
+
+        if params[:skip] && self.supported_functions.include?(:skip)
+          # to_s as safety measure for vulnerabilities similar to CVE-2013-1854
+          value = value.skip(params[:skip].to_s)
+        end
+
+        if params[:take] && self.supported_functions.include?(:take)
+          # to_s as safety measure for vulnerabilities similar to CVE-2013-1854
+          value = value.take(params[:take].to_s)
+        end
+
+        if params[:uniq] && self.supported_functions.include?(:uniq)
+          value = value.uniq
+        end
+
+        # these must happen at the end and are independent
+        if params[:count] && self.supported_functions.include?(:count)
+          value = value.count.to_i
+        elsif params[:page_count] && self.supported_functions.include?(:page_count)
+          count_value = value.count.to_i # this executes the query so nothing else can be done in AREL
+          value = (count_value / self.number_of_records_in_a_page) + (count_value % self.number_of_records_in_a_page ? 1 : 0)
+        else
+          self.ordered_by.each do |attr_to_direction|
+            # this looks nasty, but makes no sense to iterate keys if only single of each
+            value = value.order(t[attr_to_direction.keys[0]].call(attr_to_direction.values[0]))
+          end
+          value = value.to_a
+        end
+
+        @value = value
+        instance_variable_set(@model_at_plural_name_sym, @value)
+        respond_with @value
+      end
+
+      # The controller's show (get) method to return a resource.
+      def show
+        # to_s as safety measure for vulnerabilities similar to CVE-2013-1854
+        @value = @model_class.find(params[:id].to_s)
+        instance_variable_set(@model_at_singular_name_sym, @value)
+        respond_with @value
+      end
+
+      # The controller's new method (e.g. used for new record in html format).
+      def new
+        @value = @model_class.new
+        respond_with @value
+      end
+
+      # The controller's edit method (e.g. used for edit record in html format).
+      def edit
+        # to_s as safety measure for vulnerabilities similar to CVE-2013-1854
+        @value = @model_class.find(params[:id].to_s)
+        instance_variable_set(@model_at_singular_name_sym, @value)
+      end
+
+      # The controller's create (post) method to create a resource.
+      def create
+        authorize! :create, @model_class
+        @value = @model_class.new(permitted_params)
+        @value.save
+        instance_variable_set(@model_at_singular_name_sym, @value)
+        if RestfulJson.return_resource
+          respond_with(@value) do |format|
+            format.json do
+              if @value.errors.empty?
+                render json: @value, status: :created
+              else
+                render json: {errors: @value.errors}, status: :unprocessable_entity
+              end
+            end
+          end
+        else
+          respond_with @value
+        end
+      end
+
+      # The controller's update (put) method to update a resource.
+      def update
+        authorize! :update, @model_class
+        # to_s as safety measure for vulnerabilities similar to CVE-2013-1854
+        @value = @model_class.find(params[:id].to_s)
+        @value.update_attributes(permitted_params)
+        instance_variable_set(@model_at_singular_name_sym, @value)
+        if RestfulJson.return_resource
+          respond_with(@value) do |format|
+            format.json do
+              if @value.errors.empty?
+                render json: @value, status: :ok
+              else
+                render json: {errors: @value.errors}, status: :unprocessable_entity
+              end
+            end
+          end
+        else
+          respond_with @value
+        end
+      end
+
+      # The controller's destroy (delete) method to destroy a resource.
+      def destroy
+        # to_s as safety measure for vulnerabilities similar to CVE-2013-1854
+        @value = @model_class.find(params[:id].to_s)
+        @value.destroy
+        instance_variable_set(@model_at_singular_name_sym, @value)
+        respond_with @value
+      end
+
+    end
+  end
+end

data/lib/restful_json/model.rb

@@ -0,0 +1,13 @@
+require 'cancan'
+
+module RestfulJson
+  module Model
+    extend ActiveSupport::Concern
+    included do
+      # strong parameters
+      include ::ActiveModel::ForbiddenAttributesProtection
+      # cancan, depended on by twinturbo's permitters
+      include ::CanCan::ModelAdditions
+    end
+  end
+end

data/lib/restful_json/railtie.rb

@@ -0,0 +1,19 @@
+require 'restful_json'
+
+module RestfulJson
+  class Railtie < Rails::Railtie
+    initializer "restful_json.action_controller" do
+      ActiveSupport.on_load(:action_controller) do
+        puts "Extending #{self} with RestfulJson::Controller" if RestfulJson.debug?
+        include RestfulJson::Controller
+      end
+    end
+
+    initializer "restful_json.active_record" do
+      ActiveSupport.on_load(:active_record) do
+        puts "Extending #{self} with RestfulJson::Model" if RestfulJson.debug?
+        include RestfulJson::Model
+      end
+    end
+  end
+end

data/lib/restful_json/version.rb

@@ -0,0 +1,3 @@
+module RestfulJson
+  VERSION = '3.0.0'
+end

data/lib/restful_json.rb

@@ -0,0 +1,7 @@
+require 'restful_json/version'
+require 'restful_json/config'
+require 'application_permitter'
+require 'twinturbo/controller'
+require 'restful_json/model'
+require 'restful_json/controller'
+require 'restful_json/railtie' if defined?(Rails)

data/lib/twinturbo/controller.rb

@@ -0,0 +1,35 @@
+module TwinTurbo
+  module Controller
+    # Instance Methods:
+
+    # the following methods are from Adam Hawkins's post:
+    # http://www.broadcastingadam.com/2012/07/parameter_authorization_in_rails_apis/
+    # with modification to only try to call permitted params if is a permitter
+    
+    def permitted_params
+      # if you send invalid content, it will return an HTTP 20x for a put and a 422 for a post, instead of a 500 for both.
+      @permitted_params ||= safe_permitted_params
+    end
+
+    def permitter
+      return unless permitter_class
+
+      @permitter ||= permitter_class.new params, current_user, current_ability
+    end
+
+    def permitter_class
+      begin
+        "#{self.class.to_s.match(/(.*?::)?(?<controller_name>.+)Controller/)[:controller_name].singularize}Permitter".constantize
+      rescue NameError
+        nil
+      end
+    end
+
+    def safe_permitted_params
+      begin
+        permitter.send(:permitted_params)
+      rescue
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,155 @@
+--- !ruby/object:Gem::Specification
+name: restful_json
+version: !ruby/object:Gem::Version
+  version: 3.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Gary S. Weaver
+- Tommy Odom
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-03-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails-api
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: active_model_serializers
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cancan
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: strong_parameters
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Develop declarative, featureful JSON RESTful-ish service controllers
+  to use with modern Javascript MVC frameworks like AngularJS, Ember, etc. with much
+  less code.
+email:
+- garysweaver@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/application_permitter.rb
+- lib/restful_json/config.rb
+- lib/restful_json/controller.rb
+- lib/restful_json/model.rb
+- lib/restful_json/railtie.rb
+- lib/restful_json/version.rb
+- lib/restful_json.rb
+- lib/twinturbo/controller.rb
+- Rakefile
+- README.md
+homepage: https://github.com/rubyservices/restful_json
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: RESTful JSON controllers using Rails 3.1+, Rails 4+.
+test_files: []