trusted_attributes 0.1.0

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+
+# Specify your gem's dependencies in trusted_attributes.gemspec
+gemspec

data/README.md

@@ -0,0 +1,91 @@
+# Trusted Attributes
+
+This module adds the `attributes` method to controllers which makes it possible
+to do mass assignment, while making sure that only trusted attributes are
+updated. In effect it moves mass assignment protection to the controller.
+
+Add the gem to your Gemfile:
+
+```
+gem "trusted_attributes"
+```
+
+Include it in your application controller:
+
+```
+class ApplicationController < ActionController::Base
+  include TrustedAttributes
+end
+```
+
+Whenever you would normally assign a hash from params, use `attributes`
+instead.  For example:
+
+``` ruby
+def create
+  @realm = Realm.new(attributes)
+  if @realm.save
+    redirect_to @realm
+  else
+    render :new
+  end
+end
+```
+
+To mark attributes as trusted, you can use the `trust` class method:
+
+``` ruby
+class RealmsController < ApplicationController
+  trust :name, :max_data, :max_time
+
+  def create
+    @realm = Realm.new(attributes)
+    ...
+  end
+end
+```
+
+You can also use the instance method `trust`, for example if different users
+have access to different attributes:
+
+``` ruby
+class RealmsController < ApplicationController
+  trust :name, :max_data, :max_time
+
+  def create
+    trust :global if current_user.admin?
+    @realm = Realm.new(attributes)
+    ...
+  end
+end
+```
+
+When not running in production mode, an error will be raised when non trusted
+attributes are sent, in production mode, the non trusted attributes are
+silently ignored.
+
+## License
+
+(The MIT License)
+
+Copyright (c) 2012 Ivan Navarrete and Jonas Nicklas
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Vimium has been updated to 1.32.x

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/lib/trusted_attributes.rb

@@ -0,0 +1,52 @@
+require "trusted_attributes/version"
+
+module TrustedAttributes
+  class UntrustedAttributesError < StandardError
+    def initialize(diff)
+      @diff = diff
+    end
+
+    def message
+      list = @diff.map { |attr| ":#{attr}" }.join(', ')
+      "Some attributes that were sent are not trusted. Mark them as trusted by setting `trust #{list}`"
+    end
+  end
+
+  def self.included(base)
+    base.hide_action :accessible_attributes
+    base.extend ClassMethods
+    super
+  end
+
+  module ClassMethods
+    def trust(*attributes)
+      before_filter do |controller|
+        controller.accessible_attributes.concat(attributes)
+      end
+    end
+  end
+
+  def accessible_attributes
+    @_accessible_attributes ||= []
+  end
+
+private
+
+  def trust(*attributes)
+    accessible_attributes.concat(attributes)
+  end
+
+  def attributes
+    # Be helpful and raise an exception when non trusted attributes are sent
+    unless Rails.env.production?
+      diff = params[attributes_key].keys.map(&:to_sym) - accessible_attributes
+      raise UntrustedAttributesError.new(diff) unless diff.empty?
+    end
+
+    params[attributes_key].slice(*accessible_attributes)
+  end
+
+  def attributes_key
+    params["controller"].split('/').last.singularize
+  end
+end

data/lib/trusted_attributes/version.rb

@@ -0,0 +1,3 @@
+module TrustedAttributes
+  VERSION = "0.1.0"
+end

data/trusted_attributes.gemspec

@@ -0,0 +1,19 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/trusted_attributes/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Ivan Navarrete and Jonas Nicklas"]
+  gem.email         = ["dev@elabs.se"]
+  gem.description   = %q{Mass assignment security in your controller, yo}
+  gem.summary       = %q{Mass assignment security in your controller}
+  gem.homepage      = ""
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "trusted_attributes"
+  gem.require_paths = ["lib"]
+  gem.version       = TrustedAttributes::VERSION
+
+  gem.add_runtime_dependency "rails", ["~> 3.0"]
+end

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification
+name: trusted_attributes
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Ivan Navarrete and Jonas Nicklas
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-03-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: &2169305900 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2169305900
+description: Mass assignment security in your controller, yo
+email:
+- dev@elabs.se
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- README.md
+- Rakefile
+- lib/trusted_attributes.rb
+- lib/trusted_attributes/version.rb
+- trusted_attributes.gemspec
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Mass assignment security in your controller
+test_files: []
+has_rdoc: