strict_parameters 0.1.4 → 0.1.5

data/README.rdoc

@@ -10,16 +10,16 @@ In addition, parameters can be marked as required and flow through a predefined
       def create
         Person.create(params[:person])
       end
-      
+
       # This will pass with flying colors as long as there's a person key in the parameters, otherwise
-      # it'll raise a ActionController::MissingParameter exception, which will get caught by 
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by
       # ActionController::Base and turned into that 400 Bad Request reply.
       def update
-        redirect_to current_account.people.find(params[:id]).tap do |person|
+        redirect_to current_account.people.find(params[:id]).tap { |person|
           person.update_attributes!(person_params)
-        end
+        }
       end
-      
+
       private
         # Using a private method to encapsulate the permissible parameters is just a good pattern
         # since you'll be able to reuse the same permit list between create and update. Also, you
@@ -35,10 +35,19 @@ You can also use permit on nested parameters, like:
 
 Thanks to Nick Kallen for the permit idea!
 
-== Todos
+== Installation
+
+In Gemfile:
 
-* Automatically permit parameters coming from a signed form [Yehuda]
+    gem 'strong_parameters'
+
+and then run `bundle`. To activate the strong parameters, you need to include this module in
+every model you want protected.
+
+    class Post < ActiveRecord::Base
+      include ActiveModel::ForbiddenAttributesProtection
+    end
 
 == Compatibility
 
-Due to a testing issue, this plugin is only fully compatible with rails/3-2-stable rev 275ee0dc7b and forward as well as rails/master rev b49a7ddce1 and forward.
+Due to a testing issue, this plugin is only fully compatible with rails/3-2-stable rev 275ee0dc7b and forward as well as rails/master rev b49a7ddce1 and forward.

data/lib/action_controller/parameters.rb

@@ -49,9 +49,48 @@ module ActionController
       self
     end
 
+    def check_parameters(*filters)
+      param_keys = filters.map do |filter|
+        filter.is_a?(Hash) ? filter.keys : filter
+      end.flatten.map(&:to_s)
+
+      (self.keys - param_keys).tap do |diff|
+        raise(ActionController::ParameterForbidden.new(diff)) unless diff.empty?
+      end
+   end
+
     def permit(*filters)
-      check_parameters(*filters) if @strict || @@strict_config
-      permit_parameters(*filters)
+      params = self.class.new
+
+      if @strict || @@strict_config
+        check_parameters(*filters)
+      end
+
+      filters.each do |filter|
+        case filter
+        when Symbol, String then
+          params[filter] = self[filter] if has_key?(filter)
+        when Hash then
+          self.slice(*filter.keys).each do |key, value|
+            return unless value
+
+            key = key.to_sym
+
+            params[key] = each_element(value) do |value|
+              # filters are a Hash, so we expect value to be a Hash too
+              next if filter.is_a?(Hash) && !value.is_a?(Hash)
+
+              value = self.class.new(value) if !value.respond_to?(:permit)
+
+              value.strict! if @strict
+
+              value.permit(*Array.wrap(filter[key]))
+            end
+          end
+        end
+      end
+
+      params.permit!
     end
 
     def [](key)
@@ -74,54 +113,6 @@ module ActionController
       end
     end
 
-    protected
-      def check_parameters(*filters)
-        param_keys = filters.map { |filter| filter.is_a?(Hash) ? filter.keys : filter }
-        param_keys = param_keys.flatten.map(&:to_s)
-        diff = self.keys - param_keys
-
-        # exit on first mismatch
-        raise(ActionController::ParameterForbidden.new(diff)) unless diff.empty?
-
-        filters.each do |filter|
-          if filter.is_a?(Hash)
-            filter.each do |key,value|
-              params = self.class.new(self[key])
-              params.check_parameters(*Array.wrap(filter[key]))
-            end
-          end
-        end
-
-      end
-
-      def permit_parameters(*filters)
-        params = self.class.new
-
-        filters.each do |filter|
-          case filter
-          when Symbol, String then
-            params[filter] = self[filter] if has_key?(filter)
-          when Hash then
-            self.slice(*filter.keys).each do |key, value|
-              return unless value
-
-              key = key.to_sym
-
-              params[key] = each_element(value) do |value|
-                # filters are a Hash, so we expect value to be a Hash too
-                next if filter.is_a?(Hash) && !value.is_a?(Hash)
-
-                value = self.class.new(value) if !value.respond_to?(:permit)
-
-                value.permit_parameters(*Array.wrap(filter[key]))
-              end
-            end
-          end
-        end
-
-        params.permit!
-      end
-
     private
       def convert_hashes_to_parameters(key, value)
         if value.is_a?(Parameters) || !value.is_a?(Hash)
@@ -135,6 +126,11 @@ module ActionController
       def each_element(object)
         if object.is_a?(Array)
           object.map { |el| yield el }.compact
+        # fields_for on an array of records uses numeric hash keys
+        elsif object.is_a?(Hash) && object.keys.all? { |k| k =~ /\A-?\d+\z/ }
+          hash = object.class.new
+          object.each { |k,v| hash[k] = yield v }
+          hash
         else
           yield object
         end

data/lib/action_controller/strict_parameters.rb

@@ -0,0 +1,167 @@
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+
+  class ParameterForbidden < IndexError
+    attr_reader :param
+
+    def initialize(param)
+      @param = param
+      super("key forbidden: #{param}")
+    end
+  end
+
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    cattr_accessor :strict_config
+
+    attr_accessor :permitted
+    alias :permitted? :permitted
+
+    def initialize(attributes = nil)
+      super(attributes)
+      @permitted = false
+      @strict = false
+    end
+
+    def permit!
+      @permitted = true
+      self
+    end
+
+    def require(key)
+      self[key].presence || raise(ActionController::ParameterMissing.new(key))
+    end
+
+    alias :required :require
+
+    def strict!
+      @strict = true
+      self
+    end
+
+
+    def chck_parameters(*filters)
+      param_keys = filters.map do |filter|
+        filter.is_a?(Hash) ? filter.keys : filter
+      end.flatten.map(&:to_s)
+
+      (self.keys - param_keys).tap do |diff|
+        unless diff.empty?
+          raise(ActionController::ParameterForbidden.new(diff))
+        end
+      end
+    end
+
+
+    def permit(*filters)
+      params = self.class.new
+
+      if @strict || @@strict_config
+        check_parameters(*filters)
+      end
+
+      filters.each do |filter|
+        case filter
+        when Symbol, String then
+          params[filter] = self[filter] if has_key?(filter)
+        when Hash then
+          self.slice(*filter.keys).each do |key, value|
+            return unless value
+
+            key = key.to_sym
+
+            params[key] = each_element(value) do |value|
+              # filters are a Hash, so we expect value to be a Hash too
+              next if filter.is_a?(Hash) && !value.is_a?(Hash)
+
+              value = self.class.new(value) if !value.respond_to?(:permit)
+
+              value.strict! if @strict
+
+              value.permit(*Array.wrap(filter[key]))
+            end
+          end
+        end
+      end
+
+      params.permit!
+    end
+
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError
+      raise ActionController::ParameterMissing.new(key)
+    end
+
+    def slice(*keys)
+      self.class.new(super)
+    end
+
+    def dup
+      super.tap do |duplicate|
+        duplicate.instance_variable_set :@permitted, @permitted
+      end
+    end
+
+    private
+    def convert_hashes_to_parameters(key, value)
+      if value.is_a?(Parameters) || !value.is_a?(Hash)
+        value
+      else
+        # Convert to Parameters on first access
+        self[key] = self.class.new(value)
+      end
+    end
+
+    def each_element(object)
+      if object.is_a?(Array)
+        object.map { |el| yield el }.compact
+        # fields_for on an array of records uses numeric hash keys
+      elsif object.is_a?(Hash) && object.keys.all? { |k| k =~ /\A-?\d+\z/ }
+        hash = object.class.new
+        object.each { |k,v| hash[k] = yield v }
+        hash
+      else
+        yield object
+      end
+    end
+  end
+
+  module StrongParameters
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+        render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
+      end
+
+      rescue_from(ActionController::ParameterForbidden) do |parameter_forbidden_exception|
+        render :text => "Parameters forbidden: #{parameter_forbidden_exception.param.join(' ')}", :status => :unprocessable_entity
+      end
+    end
+
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+end
+
+ActionController::Base.send :include, ActionController::StrongParameters

data/lib/strong_parameters/version.rb

@@ -1,3 +1,3 @@
 module StrongParameters
-  VERSION = "0.1.4"
+  VERSION = "0.1.5"
 end

data/test/nested_parameters_test.rb

@@ -92,4 +92,40 @@ class NestedParametersTest < ActiveSupport::TestCase
     permitted = params.permit book: { genre: :type }
     assert_nil permitted[:book][:genre]
   end
+
+  test "fields_for_style_nested_params" do
+    params = ActionController::Parameters.new({
+      book: {
+        authors_attributes: {
+          :'0' => { name: 'William Shakespeare', age_of_death: '52' },
+          :'1' => { name: 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit book: { authors_attributes: [ :name ] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['0']
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+  end
+
+  test "fields_for_style_nested_params with negative numbers" do
+    params    = ActionController::Parameters.new({
+      book: {
+        authors_attributes: {
+          :'-1' => {name: 'William Shakespeare', age_of_death: '52'},
+          :'-2' => {name: 'Unattributed Assistant'}
+        }
+      }
+    })
+    permitted = params.permit book: {authors_attributes: [:name]}
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+  end
 end

data/test/parameters_strict_test.rb

@@ -71,4 +71,21 @@ class ParametersStrictTest < ActiveSupport::TestCase
     end
   end
 
+  test "strict! fields_for_style_nested_params with negative numbers" do
+    params    = ActionController::Parameters.new({
+      book: {
+        authors_attributes: {
+          :'-1' => {name: 'William Shakespeare', age_of_death: '52'},
+          :'-2' => {name: 'Unattributed Assistant'}
+        }
+      }
+    })
+    permitted = params.permit book: {authors_attributes: [:name, :age_of_death]}
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_not_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+  end
 end

data/test/test_helper.rb

@@ -2,7 +2,7 @@
 ENV["RAILS_ENV"] = "test"
 
 require 'test/unit'
-require 'strong_parameters'
+require 'strict_parameters'
 
 module ActionController
   SharedTestRoutes = ActionDispatch::Routing::RouteSet.new

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: strict_parameters
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-08-20 00:00:00.000000000 Z
+date: 2012-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -83,6 +83,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/action_controller/parameters.rb
+- lib/action_controller/strict_parameters.rb
 - lib/active_model/forbidden_attributes_protection.rb
 - lib/generators/rails/strong_parameters_controller_generator.rb
 - lib/generators/rails/templates/controller.rb