strong_parameters 0.2.0 → 0.2.1

data/README.md

@@ -0,0 +1,129 @@
+[![Travis CI](https://secure.travis-ci.org/rails/strong_parameters.png)](http://travis-ci.org/rails/strong_parameters) [![Gem Version](https://badge.fury.io/rb/strong_parameters.png)](http://badge.fury.io/rb/strong_parameters)
+# Strong Parameters
+
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+
+``` ruby
+class PeopleController < ActionController::Base
+  # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+  # without an explicit permit step.
+  def create
+    Person.create(params[:person])
+  end
+
+  # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+  # it'll raise a ActionController::MissingParameter exception, which will get caught by
+  # ActionController::Base and turned into that 400 Bad Request reply.
+  def update
+    person = current_account.people.find(params[:id])
+    person.update_attributes!(person_params)
+    redirect_to person
+  end
+
+  private
+    # Using a private method to encapsulate the permissible parameters is just a good pattern
+    # since you'll be able to reuse the same permit list between create and update. Also, you
+    # can specialize this method with per-user checking of permissible attributes.
+    def person_params
+      params.require(:person).permit(:name, :age)
+    end
+end
+```
+
+## Permitted Scalar Values
+
+Given
+
+``` ruby
+params.permit(:id)
+```
+
+the key `:id` will pass the whitelisting if it appears in `params` and it has a permitted scalar value associated. Otherwise the key is going to be filtered out, so arrays, hashes, or any other objects cannot be injected.
+
+The permitted scalar types are `String`, `Symbol`, `NilClass`, `Numeric`, `TrueClass`, `FalseClass`, `Date`, `Time`, `DateTime`, `StringIO`, `IO`, `ActionDispatch::Http::UploadedFile` and `Rack::Test::UploadedFile`.
+
+To declare that the value in `params` must be an array of permitted scalar values map the key to an empty array:
+
+``` ruby
+params.permit(:id => [])
+```
+
+To whitelist an entire hash of parameters, the `permit!` method can be used
+
+``` ruby
+params.require(:log_entry).permit!
+```
+
+This will mark the `:log_entry` parameters hash and any subhash of it permitted.  Extreme care should be taken when using `permit!` as it will allow all current and future model attributes to be mass-assigned.
+
+## Nested Parameters
+
+You can also use permit on nested parameters, like:
+
+``` ruby
+params.permit(:name, {:emails => []}, :friends => [ :name, { :family => [ :name ], :hobbies => [] }])
+```
+
+This declaration whitelists the `name`, `emails` and `friends` attributes. It is expected that `emails` will be an array of permitted scalar values and that `friends` will be an array of resources with specific attributes : they should have a `name` attribute (any permitted scalar values allowed), a `hobbies` attribute as an array of permitted scalar values, and a `family` attribute which is restricted to having a `name` (any permitted scalar values allowed, too).
+
+Thanks to Nick Kallen for the permit idea!
+
+## Handling of Unpermitted Keys
+
+By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.
+
+Additionally, this behaviour can be changed by changing the `config.action_controller.action_on_unpermitted_parameters` property in your environment files. If set to `:log` the unpermitted attributes will be logged, if set to `:raise` an exception will be raised.
+
+## Use Outside of Controllers
+
+While Strong Parameters will enforce permitted and required values in your application controllers, keep in mind
+that you will need to sanitize untrusted data used for mass assignment when in use outside of controllers.
+
+For example, if you retrieve JSON data from a third party API call and pass the unchecked parsed result on to
+`Model.create`, undesired mass assignments could take place.  You can alleviate this risk by slicing the hash data,
+or wrapping the data in a new instance of `ActionController::Parameters` and declaring permissions the same as
+you would in a controller.  For example:
+
+``` ruby
+raw_parameters = { :email => "john@example.com", :name => "John", :admin => true }
+parameters = ActionController::Parameters.new(raw_parameters)
+user = User.create(parameters.permit(:name, :email))
+```
+
+## Installation
+
+In Gemfile:
+
+``` ruby
+gem 'strong_parameters'
+```
+
+and then run `bundle`. To activate the strong parameters, you need to include this module in
+every model you want protected.
+
+``` ruby
+class Post < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
+end
+```
+
+Alternatively, you can protect all Active Record resources by default by creating an initializer and pasting the line:
+
+``` ruby
+ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
+```
+
+If you want to now disable the default whitelisting that occurs in Rails 3.2, change the `config.active_record.whitelist_attributes` property in your `config/application.rb`:
+
+``` ruby
+config.active_record.whitelist_attributes = false
+```
+
+This will allow you to remove / not have to use `attr_accessible` and do mass assignment inside your code and tests.
+
+## Compatibility
+
+This plugin is only fully compatible with Rails versions 3.0, 3.1 and 3.2 but not 4.0+, as it is part of Rails Core in 4.0.
+An unofficial Rails 2 version is [strong_parameters_rails2](https://github.com/grosser/strong_parameters/tree/rails2).

data/Rakefile

@@ -12,7 +12,8 @@ RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title    = 'StrongParameters'
   rdoc.options << '--line-numbers'
-  rdoc.rdoc_files.include('README.rdoc')
+  rdoc_main = 'README.md'
+  rdoc.rdoc_files.include('README.md')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 

data/lib/action_controller/parameters.rb

@@ -143,6 +143,7 @@ module ActionController
         StringIO,
         IO,
         ActionDispatch::Http::UploadedFile,
+        Rack::Test::UploadedFile,
       ]
 
       def permitted_scalar?(value)
@@ -167,9 +168,9 @@ module ActionController
         end
       end
 
-      def array_of_permitted_scalars_filter(params, key)
-        if has_key?(key) && array_of_permitted_scalars?(self[key])
-          params[key] = self[key]
+      def array_of_permitted_scalars_filter(params, key, hash = self)
+        if hash.has_key?(key) && array_of_permitted_scalars?(hash[key])
+          params[key] = hash[key]
         end
       end
 
@@ -185,10 +186,12 @@ module ActionController
             array_of_permitted_scalars_filter(params, key)
           else
             # Declaration {:user => :name} or {:user => [:name, :age, {:adress => ...}]}.
-            params[key] = each_element(value) do |element|
+            params[key] = each_element(value) do |element, index|
               if element.is_a?(Hash)
                 element = self.class.new(element) unless element.respond_to?(:permit)
                 element.permit(*Array.wrap(filter[key]))
+              elsif filter[key].is_a?(Hash) && filter[key][index] == []
+                array_of_permitted_scalars_filter(params, index, value)
               end
             end
           end
@@ -201,7 +204,7 @@ module ActionController
           # fields_for on an array of records uses numeric hash keys.
         elsif value.is_a?(Hash) && value.keys.all? { |k| k =~ /\A-?\d+\z/ }
           hash = value.class.new
-          value.each { |k,v| hash[k] = yield v }
+          value.each { |k,v| hash[k] = yield(v, k) }
           hash
         else
           yield value
@@ -215,8 +218,9 @@ module ActionController
 
         if unpermitted_keys.any?  
           case self.class.action_on_unpermitted_parameters  
-          when :log  
-            ActionController::Base.logger.debug "Unpermitted parameters: #{unpermitted_keys.join(", ")}"  
+          when :log
+            name = "unpermitted_parameters.action_controller"
+            ActiveSupport::Notifications.instrument(name, :keys => unpermitted_keys)
           when :raise  
             raise ActionController::UnpermittedParameters.new(unpermitted_keys)  
           end  

data/lib/strong_parameters.rb

@@ -1,3 +1,4 @@
 require 'action_controller/parameters'
 require 'active_model/forbidden_attributes_protection'
 require 'strong_parameters/railtie'
+require 'strong_parameters/log_subscriber'

data/lib/strong_parameters/log_subscriber.rb

@@ -0,0 +1,14 @@
+module StrongParameters
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def unpermitted_parameters(event)
+      unpermitted_keys = event.payload[:keys]
+      debug("Unpermitted parameters: #{unpermitted_keys.join(", ")}")
+    end
+
+    def logger
+      ActionController::Base.logger
+    end
+  end
+end
+
+StrongParameters::LogSubscriber.attach_to :action_controller

data/lib/strong_parameters/version.rb

@@ -1,3 +1,3 @@
 module StrongParameters
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

data/test/controller_generator_test.rb

@@ -8,7 +8,6 @@ class StrongParametersControllerGeneratorTest < Rails::Generators::TestCase
   setup :prepare_destination
 
   def test_controller_content
-    Rails.stubs(:application).returns(nil)
     run_generator
 
     assert_file "app/controllers/users_controller.rb" do |content|

data/test/gemfiles/Gemfile.rails-3.0.x.lock

@@ -30,9 +30,6 @@ GEM
       abstract (>= 1.0.0)
     i18n (0.5.0)
     json (1.7.5)
-    metaclass (0.0.1)
-    mocha (0.12.7)
-      metaclass (~> 0.0.1)
     rack (1.2.5)
     rack-mount (0.6.14)
       rack (>= 1.0.0)
@@ -56,7 +53,6 @@ PLATFORMS
 DEPENDENCIES
   actionpack (~> 3.0.0)
   activemodel (~> 3.0.0)
-  mocha (~> 0.12.0)
   railties (~> 3.0.0)
   rake
   strong_parameters!

data/test/parameters_permit_test.rb

@@ -27,7 +27,7 @@ class NestedParametersTest < ActiveSupport::TestCase
     values += [0, 1.0, 2**128, BigDecimal.new('1')]
     values += [true, false]
     values += [Date.today, Time.now, DateTime.now]
-    values += [StringIO.new, STDOUT, ActionDispatch::Http::UploadedFile.new(:tempfile => __FILE__)]
+    values += [StringIO.new, STDOUT, ActionDispatch::Http::UploadedFile.new(:tempfile => __FILE__), Rack::Test::UploadedFile.new(__FILE__)]
 
     values.each do |value|
       params = ActionController::Parameters.new(:id => value)
@@ -291,4 +291,22 @@ class NestedParametersTest < ActiveSupport::TestCase
 
     assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death
   end
+
+  test "fields_for_style_nested_params with nested arrays" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'0' => ['William Shakespeare', '52'],
+          :'1' => ['Unattributed Assistant']
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => { :'0' => [], :'1' => [] } }
+
+    assert_not_nil permitted[:book][:authors_attributes]['0']
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_nil permitted[:book][:authors_attributes]['2']
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][0]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][0]
+  end
 end

data/test/test_helper.rb

@@ -10,7 +10,6 @@ Rails.application = FakeApplication
 Rails.configuration.action_controller = ActiveSupport::OrderedOptions.new
 
 require 'strong_parameters'
-require 'mocha'
 
 module ActionController
   SharedTestRoutes = ActionDispatch::Routing::RouteSet.new

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: strong_parameters
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-18 00:00:00.000000000 Z
+date: 2013-05-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -75,22 +75,6 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: mocha
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 0.12.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 0.12.0
 description: 
 email:
 - david@heinemeierhansson.com
@@ -103,12 +87,13 @@ files:
 - lib/generators/rails/strong_parameters_controller_generator.rb
 - lib/generators/rails/templates/controller.rb
 - lib/generators/rails/USAGE
+- lib/strong_parameters/log_subscriber.rb
 - lib/strong_parameters/railtie.rb
 - lib/strong_parameters/version.rb
 - lib/strong_parameters.rb
 - MIT-LICENSE
 - Rakefile
-- README.rdoc
+- README.md
 - test/action_controller_required_params_test.rb
 - test/action_controller_tainted_params_test.rb
 - test/active_model_mass_assignment_taint_protection_test.rb

data/README.rdoc

@@ -1,102 +0,0 @@
-= Strong Parameters
-
-With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
-
-In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
-
-    class PeopleController < ActionController::Base
-      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
-      # without an explicit permit step.
-      def create
-        Person.create(params[:person])
-      end
-
-      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
-      # it'll raise a ActionController::MissingParameter exception, which will get caught by
-      # ActionController::Base and turned into that 400 Bad Request reply.
-      def update
-        person = current_account.people.find(params[:id])
-        person.update_attributes!(person_params)
-        redirect_to person
-      end
-
-      private
-        # Using a private method to encapsulate the permissible parameters is just a good pattern
-        # since you'll be able to reuse the same permit list between create and update. Also, you
-        # can specialize this method with per-user checking of permissible attributes.
-        def person_params
-          params.require(:person).permit(:name, :age)
-        end
-    end
-
-== Permitted Scalar Values
-
-Given
-
-    params.permit(:id)
-
-the key +:id+ will pass the whitelisting if it appears in +params+ and it has a permitted scalar value associated. Otherwise the key is going to be filtered out, so arrays, hashes, or any other objects cannot be injected.
-
-The permitted scalar types are +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+, +Date+, +Time+, +DateTime+, +StringIO+, +IO+, and +ActionDispatch::Http::UploadedFile+.
-
-To declare that the value in +params+ must be an array of permitted scalar values map the key to an empty array:
-
-    params.permit(:id => [])
-
-== Nested Parameters
-
-You can also use permit on nested parameters, like:
-
-    params.permit(:name, {:emails => []}, :friends => [ :name, { :family => [ :name ], :hobbies => [] }])
-
-This declaration whitelists the +name+, +emails+ and +friends+ attributes. It is expected that +emails+ will be an array of permitted scalar values and that +friends+ will be an array of resources with specific attributes : they should have a +name+ attribute (any permitted scalar values allowed), a +hobbies+ attribute as an array of permitted scalar values, and a +family+ attribute which is restricted to having a +name+ (any permitted scalar values allowed, too).
-
-Thanks to Nick Kallen for the permit idea!
-
-== Handling of Unpermitted Keys
-
-By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.
-
-Additionally, this behaviour can be changed by changing the +config.action_controller.action_on_unpermitted_parameters+ property in your environment files. If set to +:log+ the unpermitted attributes will be logged, if set to +:raise+ an exception will be raised.
-
-== Use Outside of Controllers
-
-While Strong Parameters will enforce permitted and required values in your application controllers, keep in mind
-that you will need to sanitize untrusted data used for mass assignment when in use outside of controllers.
-
-For example, if you retrieve JSON data from a third party API call and pass the unchecked parsed result on to
-+Model.create+, undesired mass assignments could take place.  You can alleviate this risk by slicing the hash data,
-or wrapping the data in a new instance of +ActionController::Parameters+ and declaring permissions the same as
-you would in a controller.  For example:
-
-    raw_parameters = { :email => "john@example.com", :name => "John", :admin => true }
-    parameters = ActionController::Parameters.new(raw_parameters)
-    user = User.create(parameters.permit(:name, :email))
-
-== Installation
-
-In Gemfile:
-
-    gem 'strong_parameters'
-
-and then run `bundle`. To activate the strong parameters, you need to include this module in
-every model you want protected.
-
-    class Post < ActiveRecord::Base
-      include ActiveModel::ForbiddenAttributesProtection
-    end
-
-Alternatively, you can protect all Active Record resources by default by creating an initializer and pasting the line:
-
-    ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
-
-If you want to now disable the default whitelisting that occurs in later versions of Rails, change the +config.active_record.whitelist_attributes+ property in your +config/application.rb+:
-
-    config.active_record.whitelist_attributes = false
-
-This will allow you to remove / not have to use +attr_accessible+ and do mass assignment inside your code and tests.
-
-== Compatibility
-
-This plugin is only fully compatible with Rails versions 3.0, 3.1 and 3.2 but not 4.0+, as it is part of Rails Core in 4.0.
-An unofficial Rails 2 version is {strong_parameters_rails2}[https://github.com/grosser/strong_parameters/tree/rails2].