signed_form 0.1.1 → 0.1.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: c2252f1f051eaa4aae342bebc6e18b690c1729e0
4
- data.tar.gz: 14aed6537280fff1e06456e6810c3e82234482f8
3
+ metadata.gz: d48194df6c241a277cc79382344715c75aac7d9c
4
+ data.tar.gz: 279e08bc94e45b2ce9f5e25364104bd5433ecb34
5
5
  SHA512:
6
- metadata.gz: b6ba4877c2618bfca2c6906a7ecc38fd2f86c138daafd6cee98945053ed773d615954dd0478d06059dd5bbc69a9275c612dc9f0618b7f9fe37bd7bf8e32b2879
7
- data.tar.gz: 3d9aa7420195e95e2bf864482785675ac4e9e914ed257b6e9a017c6fec011533de4e12c95bb7d4f923bfdea3e698bf0845f737eba16d8d41129b00d96d09045d
6
+ metadata.gz: 75e21c1f42bfa9b1e8df77e4afbabb6d8ffc8a5295ddbc53d90347bfae0ed391e73f0a97b529e7b0e835957b737acf4f2deb9f692063c277408c66602a09d11a
7
+ data.tar.gz: 448f4016cf450248230406b3f89947f953398b81dcf56cdf06c9433eda9f9ad806e091aa93d7895ac6e62982dce271055b35101a0349b3952c62292bf1cd5498
@@ -24,7 +24,12 @@ module SignedForm
24
24
  allowed_attributes = Marshal.load Base64.strict_decode64(data)
25
25
  options = allowed_attributes.delete(:__options__)
26
26
 
27
- raise Errors::InvalidURL if options && (!options[:method].to_s.casecmp(request.method) || options[:url] != request.fullpath)
27
+ if options
28
+ raise Errors::InvalidURL if options[:method].to_s.casecmp(request.request_method) != 0
29
+
30
+ url = url_for(options[:url])
31
+ raise Errors::InvalidURL if url != request.fullpath && url != request.url
32
+ end
28
33
 
29
34
  allowed_attributes.each do |k, v|
30
35
  params[k] = params.require(k).permit(*v)
@@ -1,7 +1,7 @@
1
1
  module SignedForm
2
2
  MAJOR = 0
3
3
  MINOR = 1
4
- PATCH = 1
4
+ PATCH = 2
5
5
  PRE = nil
6
6
 
7
7
  VERSION = [MAJOR, MINOR, PATCH, PRE].compact.join '.'
@@ -12,7 +12,7 @@ describe SignedForm::ActionController::PermitSignedParams do
12
12
  before do
13
13
  SignedForm::HMAC.secret_key = "abc123"
14
14
 
15
- Controller.any_instance.stub(request: double('request', method: 'POST', fullpath: '/users'))
15
+ Controller.any_instance.stub(request: double('request', method: 'POST', request_method: 'POST', fullpath: '/users', url: '/users'))
16
16
  Controller.any_instance.stub(params: { "user" => { name: "Erich Menge", occupation: 'developer' } })
17
17
  end
18
18
 
@@ -63,4 +63,18 @@ describe SignedForm::ActionController::PermitSignedParams do
63
63
 
64
64
  expect { controller.permit_signed_form_data }.to raise_error(SignedForm::Errors::InvalidURL)
65
65
  end
66
+
67
+ it "should reject if method doesn't match" do
68
+ params = controller.params
69
+
70
+ data = Base64.strict_encode64(Marshal.dump("user" => [:name], :__options__ => { method: 'put', url: '/users' }))
71
+ signature = SignedForm::HMAC.create_hmac(data)
72
+
73
+ params['form_signature'] = "#{data}--#{signature}"
74
+
75
+ params.stub(:require).with('user').and_return(params)
76
+ params.stub(:permit).with(:name).and_return(params)
77
+
78
+ expect { controller.permit_signed_form_data }.to raise_error(SignedForm::Errors::InvalidURL)
79
+ end
66
80
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: signed_form
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Erich Menge
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-04-10 00:00:00.000000000 Z
11
+ date: 2013-04-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -136,4 +136,3 @@ test_files:
136
136
  - spec/hmac_spec.rb
137
137
  - spec/permit_signed_params_spec.rb
138
138
  - spec/spec_helper.rb
139
- has_rdoc: