strongly_typed_parameters 0.0.1

data/lib/strongly_typed_parameters.rb

@@ -0,0 +1,4 @@
+require 'action_controller/parameters'
+require 'active_model/forbidden_attributes_protection'
+require 'strongly_typed_parameters/railtie'
+require 'strongly_typed_parameters/boolean'

data/lib/strongly_typed_parameters/boolean.rb

@@ -0,0 +1,12 @@
+#marker module to identify boolean objects.
+
+module Boolean
+end
+
+class TrueClass
+  include Boolean
+end
+
+class FalseClass
+  include Boolean
+end

data/lib/strongly_typed_parameters/railtie.rb

@@ -0,0 +1,17 @@
+require 'rails/railtie'
+
+module StronglyTypedParameters
+  class Railtie < ::Rails::Railtie
+    if config.respond_to?(:app_generators)
+      config.app_generators.scaffold_controller = :strongly_typed_parameters_controller
+    else
+      config.generators.scaffold_controller = :strongly_typed_parameters_controller
+    end
+
+    initializer "strong_parameters.config", :before => "action_controller.set_configs" do |app|
+      ActionController::Parameters.action_on_unpermitted_parameters = app.config.action_controller.delete(:action_on_unpermitted_parameters) do
+        (Rails.env.test? || Rails.env.development?) ? :log : false
+      end
+    end
+  end
+end

data/lib/strongly_typed_parameters/version.rb

@@ -0,0 +1,3 @@
+module StronglyTypedParameters
+  VERSION = "0.0.1"
+end

data/test/action_controller_required_params_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class BooksController < ActionController::Base
+  def create
+    params.require(:book).require(:name)
+    head :ok
+  end
+end
+
+class ActionControllerRequiredParamsTest < ActionController::TestCase
+  tests BooksController
+
+  test "missing required parameters will raise exception" do
+    post :create, { :magazine => { :name => "Mjallo!" } }
+    assert_response :bad_request
+
+    post :create, { :book => { :title => "Mjallo!" } }
+    assert_response :bad_request
+  end
+
+  test "required parameters that are present will not raise" do
+    post :create, { :book => { :name => "Mjallo!" } }
+    assert_response :ok
+  end
+
+  test "missing parameters will be mentioned in the return" do
+    post :create, { :magazine => { :name => "Mjallo!" } }
+    assert_equal "Required parameter missing: book", response.body
+  end
+end

data/test/action_controller_tainted_params_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class PeopleController < ActionController::Base
+  def create
+    render :text => params[:person].permitted? ? "untainted" : "tainted"
+  end
+
+  def create_with_permit
+    render :text => params[:person].permit(:name).permitted? ? "untainted" : "tainted"
+  end
+end
+
+class ActionControllerTaintedParamsTest < ActionController::TestCase
+  tests PeopleController
+
+  test "parameters are tainted" do
+    post :create, { :person => { :name => "Mjallo!" } }
+    assert_equal "tainted", response.body
+  end
+
+  test "parameters can be permitted and are then not tainted" do
+    post :create_with_permit, { :person => { :name => "Mjallo!" } }
+    assert_equal "untainted", response.body
+  end
+end

data/test/active_model_mass_assignment_taint_protection_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class Person
+  include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::ForbiddenAttributesProtection
+
+  public :sanitize_for_mass_assignment
+end
+
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating" do
+    assert_raises(ActiveModel::ForbiddenAttributes) do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b"))
+    end
+  end
+
+  test "permitted attributes can be used for mass updating" do
+    assert_nothing_raised do
+      assert_equal({ "a" => "b" },
+        Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b").permit(:a)))
+    end
+  end
+
+  test "regular attributes should still be allowed" do
+    assert_nothing_raised do
+      assert_equal({ :a => "b" },
+        Person.new.sanitize_for_mass_assignment(:a => "b"))
+    end
+  end
+end

data/test/active_model_smart_type_defaulting_test.rb

@@ -0,0 +1,28 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class Column
+  attr_accessor :name
+  attr_accessor :klass
+  def initialize(hsh)
+    hsh.each do |name, klass|
+      @name = name
+      @klass = klass
+    end
+  end
+end
+
+class User
+  def self.columns
+    [Column.new("id" => Fixnum), Column.new("name" => String)]
+  end
+end
+
+class ActiveModelSmartTypeDefaultingTest < ActiveSupport::TestCase
+    test "if no types are given but the parent object shares a name with a model, attribute types are used" do
+      params = ActionController::Parameters.new(:user => [:id => 1234])
+      permitted = params.permit(:user => [:id, :name])
+      assert_equal permitted[:user][0][:id], 1234
+      assert_nil permitted[:user][0][:name]
+    end
+end

data/test/controller_generator_test.rb

@@ -0,0 +1,38 @@
+#FIXME: This errors due to Mocha.
+
+=begin
+
+require 'rails/generators/test_case'
+require 'generators/rails/strong_parameters_controller_generator'
+
+class StrongParametersControllerGeneratorTest < Rails::Generators::TestCase
+  tests Rails::Generators::StrongParametersControllerGenerator
+  arguments %w(User name:string age:integer --orm=none)
+  destination File.expand_path("../tmp", File.dirname(__FILE__))
+  setup :prepare_destination
+
+  def test_controller_content
+    Rails.stubs(:application).returns(nil)
+    run_generator
+
+    assert_file "app/controllers/users_controller.rb" do |content|
+
+      assert_instance_method :create, content do |m|
+        assert_match '@user = User.new(user_params)', m
+        assert_match '@user.save', m
+        assert_match '@user.errors', m
+      end
+
+      assert_instance_method :update, content do |m|
+        assert_match '@user = User.find(params[:id])', m
+        assert_match '@user.update_attributes(user_params)', m
+        assert_match '@user.errors', m
+      end
+
+      assert_match 'def user_params', content
+      assert_match 'params.require(:user).permit(:age, :name)', content
+    end
+  end
+end
+
+=end

data/test/gemfiles/Gemfile.rails-3.0.x

@@ -0,0 +1,6 @@
+source :rubygems
+gemspec :path => "./../.."
+
+gem "actionpack", "~> 3.0.0"
+gem "railties", "~> 3.0.0"
+gem "activemodel", "~> 3.0.0"

data/test/gemfiles/Gemfile.rails-3.0.x.lock

@@ -0,0 +1,62 @@
+PATH
+  remote: /Users/mgrosser/code/tools/strong_parameters
+  specs:
+    strong_parameters (0.1.6.dev)
+      actionpack (~> 3.0)
+      activemodel (~> 3.0)
+      railties (~> 3.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    abstract (1.0.0)
+    actionpack (3.0.17)
+      activemodel (= 3.0.17)
+      activesupport (= 3.0.17)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.5.0)
+      rack (~> 1.2.5)
+      rack-mount (~> 0.6.14)
+      rack-test (~> 0.5.7)
+      tzinfo (~> 0.3.23)
+    activemodel (3.0.17)
+      activesupport (= 3.0.17)
+      builder (~> 2.1.2)
+      i18n (~> 0.5.0)
+    activesupport (3.0.17)
+    builder (2.1.2)
+    erubis (2.6.6)
+      abstract (>= 1.0.0)
+    i18n (0.5.0)
+    json (1.7.5)
+    metaclass (0.0.1)
+    mocha (0.12.7)
+      metaclass (~> 0.0.1)
+    rack (1.2.5)
+    rack-mount (0.6.14)
+      rack (>= 1.0.0)
+    rack-test (0.5.7)
+      rack (>= 1.0)
+    railties (3.0.17)
+      actionpack (= 3.0.17)
+      activesupport (= 3.0.17)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.4)
+    rake (10.0.1)
+    rdoc (3.12)
+      json (~> 1.4)
+    thor (0.14.6)
+    tzinfo (0.3.35)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  actionpack (~> 3.0.0)
+  activemodel (~> 3.0.0)
+  mocha (~> 0.12.0)
+  railties (~> 3.0.0)
+  rake
+  strong_parameters!

data/test/gemfiles/Gemfile.rails-3.1.x

@@ -0,0 +1,6 @@
+source :rubygems
+gemspec :path => "./../.."
+
+gem "actionpack", "~> 3.1.0"
+gem "railties", "~> 3.1.0"
+gem "activemodel", "~> 3.1.0"

data/test/gemfiles/Gemfile.rails-3.2.x

@@ -0,0 +1,6 @@
+source :rubygems
+gemspec :path => "./../.."
+
+gem "actionpack", "~> 3.2.0"
+gem "railties", "~> 3.2.0"
+gem "activemodel", "~> 3.2.0"

data/test/log_on_unpermitted_params_test.rb

@@ -0,0 +1,50 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class LogOnUnpermittedParamsTest < ActiveSupport::TestCase
+  def setup
+    ActionController::Parameters.action_on_unpermitted_parameters = :log
+  end
+
+  def teardown
+    ActionController::Parameters.action_on_unpermitted_parameters = false
+  end
+
+  test "logs on unexpected params" do
+    params = ActionController::Parameters.new({
+      :book => { :pages => 65 },
+      :fishing => "Turnips"
+    })
+
+    assert_logged("Unpermitted parameters: fishing") do
+      params.permit(:book => [:pages])
+    end
+  end
+
+  test "logs on unexpected nested params" do
+    params = ActionController::Parameters.new({
+      :book => { :pages => 65, :title => "Green Cats and where to find then." }
+    })
+
+    assert_logged("Unpermitted parameters: title") do
+      params.permit(:book => [:pages => Numeric])
+    end
+  end
+
+  private
+
+  def assert_logged(message)
+    old_logger = ActionController::Base.logger
+    log = StringIO.new
+    ActionController::Base.logger = Logger.new(log)
+
+    begin
+      yield
+
+      log.rewind
+      assert_match message, log.read
+    ensure
+      ActionController::Base.logger = old_logger
+    end
+  end
+end

data/test/multi_parameter_attributes_test.rb

@@ -0,0 +1,38 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class MultiParameterAttributesTest < ActiveSupport::TestCase
+  test "permitted multi-parameter attribute keys" do
+    params = ActionController::Parameters.new({
+      :book => {
+        "shipped_at(1i)"   => "2012",
+        "shipped_at(2i)"   => "3",
+        "shipped_at(3i)"   => "25",
+        "shipped_at(4i)"   => "10",
+        "shipped_at(5i)"   => "15",
+        "published_at(1i)" => "1999",
+        "published_at(2i)" => "2",
+        "published_at(3i)" => "5",
+        "price(1)"         => "R$",
+        "price(2f)"        => "2.02"
+      }
+    })
+    permitted = params.permit :book => [ :shipped_at, :price ]
+
+    assert permitted.permitted?
+
+    assert_equal "2012", permitted[:book]["shipped_at(1i)"]
+    assert_equal "3", permitted[:book]["shipped_at(2i)"]
+    assert_equal "25", permitted[:book]["shipped_at(3i)"]
+    assert_equal "10", permitted[:book]["shipped_at(4i)"]
+    assert_equal "15", permitted[:book]["shipped_at(5i)"]
+
+    assert_equal "R$", permitted[:book]["price(1)"]
+    assert_equal "2.02", permitted[:book]["price(2f)"]
+
+    assert_nil permitted[:book]["published_at(1i)"]
+    assert_nil permitted[:book]["published_at(2i)"]
+    assert_nil permitted[:book]["published_at(3i)"]
+  end
+end
+

data/test/parameters_permit_test.rb

@@ -0,0 +1,264 @@
+require 'test_helper'
+require 'action_controller/parameters'
+require 'action_dispatch/http/upload'
+
+class NestedParametersTest < ActiveSupport::TestCase
+  def assert_filtered_out(params, key)
+    assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
+  end
+
+  #
+  # --- Basic interface --------------------------------------------------------
+  #
+
+  # --- nothing ----------------------------------------------------------------
+
+  test 'if nothing is permitted, the hash becomes empty' do
+    params = ActionController::Parameters.new(:id => '1234')
+    permitted = params.permit
+    permitted.permitted?
+    permitted.empty?
+  end
+
+  # --- key --------------------------------------------------------------------
+
+  test 'key: unexpected types are filtered out' do
+    params = ActionController::Parameters.new(:id => 1234, :token => 0)
+    permitted = params.permit(:id => Numeric, :token => String)
+    assert_equal 1234, permitted[:id]
+    assert_filtered_out permitted, :token
+  end
+
+  test 'key: unknown keys are filtered out' do
+    params = ActionController::Parameters.new(:id => '1234', :injected => 'injected')
+    permitted = params.permit(:id)
+    assert_equal '1234', permitted[:id]
+    assert_filtered_out permitted, :injected
+  end
+
+  test 'key: arrays are filtered out' do
+    [[], [1], ['1']].each do |array|
+      params = ActionController::Parameters.new(:id => array)
+      permitted = params.permit(:id)
+      assert_filtered_out permitted, :id
+
+      %w(i f).each do |suffix|
+        params = ActionController::Parameters.new("foo(000#{suffix})" => array)
+        permitted = params.permit(:foo)
+        assert_filtered_out permitted, "foo(000#{suffix})"
+      end
+    end
+  end
+
+  test 'key: hashes are filtered out' do
+    [{}, {:foo => 1}, {:foo => 'bar'}].each do |hash|
+      params = ActionController::Parameters.new(:id => hash)
+      permitted = params.permit(:id)
+      assert_filtered_out permitted, :id
+
+      %w(i f).each do |suffix|
+        params = ActionController::Parameters.new("foo(000#{suffix})" => hash)
+        permitted = params.permit(:foo)
+        assert_filtered_out permitted, "foo(000#{suffix})"
+      end
+    end
+  end
+
+  test 'key: non-permitted scalar values are filtered out' do
+    params = ActionController::Parameters.new(:id => Object.new)
+    permitted = params.permit(:id)
+    assert_filtered_out permitted, :id
+
+    %w(i f).each do |suffix|
+      params = ActionController::Parameters.new("foo(000#{suffix})" => Object.new)
+      permitted = params.permit(:foo)
+      assert_filtered_out permitted, "foo(000#{suffix})"
+    end
+  end
+
+  test 'key: Boolean matches only true and false' do
+    params = ActionController::Parameters.new(:happy => true)
+    permitted = params.permit(:happy => Boolean)
+    assert_equal true, permitted[:happy]
+
+    params = ActionController::Parameters.new(:happy => false)
+    permitted = params.permit(:happy => Boolean)
+    assert_equal false, permitted[:happy]
+
+    params = ActionController::Parameters.new(:happy => Object.new)
+    permitted = params.permit(:happy => Boolean)
+    assert_filtered_out permitted, :happy
+
+  end
+
+  test 'key: it is not assigned if not present in params' do
+    params = ActionController::Parameters.new(:name => 'Joe')
+    permitted = params.permit(:id)
+    assert !permitted.has_key?(:id)
+  end
+
+  #
+  # --- Nesting ----------------------------------------------------------------
+  #
+
+  test "permitted nested parameters" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :authors => [{
+          :name => "William Shakespeare",
+          :born => "1564-04-26"
+        }, {
+          :name => "Christopher Marlowe"
+        }, {
+          :name => %w(malicious injected names)
+        }],
+        :details => {
+          :pages => 200,
+          :genre => "Tragedy"
+        }
+      },
+      :magazine => "Mjallo!"
+    })
+
+    permitted = params.permit :book => [ :title, { :authors => [ :name ] }, { :details => {:pages => Numeric} } ]
+
+    assert permitted.permitted?
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+    assert_equal 200, permitted[:book][:details][:pages]
+
+    assert_filtered_out permitted[:book][:authors][2], :name
+
+    assert_filtered_out permitted, :magazine
+    assert_filtered_out permitted[:book][:details], :genre
+    assert_filtered_out permitted[:book][:authors][0], :born
+  end
+
+  test "permitted nested parameters with a string or a symbol as a key" do
+    params = ActionController::Parameters.new({
+      :book => {
+        'authors' => [
+          { :name => "William Shakespeare", :born => "1564-04-26" },
+          { :name => "Christopher Marlowe" }
+        ]
+      }
+    })
+
+    permitted = params.permit :book => [ { 'authors' => [ :name ] } ]
+
+    assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+
+    permitted = params.permit :book => [ { :authors => [ :name ] } ]
+
+    assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+  end
+
+  test "nested arrays with strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => {:genres => [String]}
+    assert_equal ["Tragedy"], permitted[:book][:genres]
+  end
+
+  test "permit may specify symbols or strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :author => "William Shakespeare"
+      },
+      :magazine => "Shakespeare Today"
+    })
+
+    permitted = params.permit({ :book => ["title", :author] }, "magazine")
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:author]
+    assert_equal "Shakespeare Today", permitted[:magazine]
+  end
+
+  test "nested array with strings that should be hashes" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => { :genres => :type }
+    assert permitted[:book][:genres].empty?
+  end
+
+  test "nested array with strings that should be hashes and additional values" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => [ :title, { :genres => :type } ]
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert permitted[:book][:genres].empty?
+  end
+
+  test "nested string that should be a hash" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genre => "Tragedy"
+      }
+    })
+
+    permitted = params.permit :book => { :genre => :type }
+    assert_nil permitted[:book][:genre]
+  end
+
+  test "fields_for_style_nested_params" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'0' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'1' => { :name => 'Unattributed Assistant' },
+          :'2' => { :name => %w(injected names)}
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [ :name ] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['0']
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert permitted[:book][:authors_attributes]['2'].empty?
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death
+  end
+
+  test "fields_for_style_nested_params with negative numbers" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'-1' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'-2' => { :name => 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [:name] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death
+  end
+end