trusted_attributes 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
data/.gitignore ADDED
@@ -0,0 +1,17 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ .yardoc
6
+ Gemfile.lock
7
+ InstalledFiles
8
+ _yardoc
9
+ coverage
10
+ doc/
11
+ lib/bundler/man
12
+ pkg
13
+ rdoc
14
+ spec/reports
15
+ test/tmp
16
+ test/version_tmp
17
+ tmp
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'http://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in trusted_attributes.gemspec
4
+ gemspec
data/README.md ADDED
@@ -0,0 +1,91 @@
1
+ # Trusted Attributes
2
+
3
+ This module adds the `attributes` method to controllers which makes it possible
4
+ to do mass assignment, while making sure that only trusted attributes are
5
+ updated. In effect it moves mass assignment protection to the controller.
6
+
7
+ Add the gem to your Gemfile:
8
+
9
+ ```
10
+ gem "trusted_attributes"
11
+ ```
12
+
13
+ Include it in your application controller:
14
+
15
+ ```
16
+ class ApplicationController < ActionController::Base
17
+ include TrustedAttributes
18
+ end
19
+ ```
20
+
21
+ Whenever you would normally assign a hash from params, use `attributes`
22
+ instead. For example:
23
+
24
+ ``` ruby
25
+ def create
26
+ @realm = Realm.new(attributes)
27
+ if @realm.save
28
+ redirect_to @realm
29
+ else
30
+ render :new
31
+ end
32
+ end
33
+ ```
34
+
35
+ To mark attributes as trusted, you can use the `trust` class method:
36
+
37
+ ``` ruby
38
+ class RealmsController < ApplicationController
39
+ trust :name, :max_data, :max_time
40
+
41
+ def create
42
+ @realm = Realm.new(attributes)
43
+ ...
44
+ end
45
+ end
46
+ ```
47
+
48
+ You can also use the instance method `trust`, for example if different users
49
+ have access to different attributes:
50
+
51
+ ``` ruby
52
+ class RealmsController < ApplicationController
53
+ trust :name, :max_data, :max_time
54
+
55
+ def create
56
+ trust :global if current_user.admin?
57
+ @realm = Realm.new(attributes)
58
+ ...
59
+ end
60
+ end
61
+ ```
62
+
63
+ When not running in production mode, an error will be raised when non trusted
64
+ attributes are sent, in production mode, the non trusted attributes are
65
+ silently ignored.
66
+
67
+ ## License
68
+
69
+ (The MIT License)
70
+
71
+ Copyright (c) 2012 Ivan Navarrete and Jonas Nicklas
72
+
73
+ Permission is hereby granted, free of charge, to any person obtaining
74
+ a copy of this software and associated documentation files (the
75
+ 'Software'), to deal in the Software without restriction, including
76
+ without limitation the rights to use, copy, modify, merge, publish,
77
+ distribute, sublicense, and/or sell copies of the Software, and to
78
+ permit persons to whom the Software is furnished to do so, subject to
79
+ the following conditions:
80
+
81
+ The above copyright notice and this permission notice shall be
82
+ included in all copies or substantial portions of the Software.
83
+
84
+ THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
85
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
86
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
87
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
88
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
89
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
90
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
91
+ Vimium has been updated to 1.32.x
data/Rakefile ADDED
@@ -0,0 +1,2 @@
1
+ #!/usr/bin/env rake
2
+ require "bundler/gem_tasks"
@@ -0,0 +1,52 @@
1
+ require "trusted_attributes/version"
2
+
3
+ module TrustedAttributes
4
+ class UntrustedAttributesError < StandardError
5
+ def initialize(diff)
6
+ @diff = diff
7
+ end
8
+
9
+ def message
10
+ list = @diff.map { |attr| ":#{attr}" }.join(', ')
11
+ "Some attributes that were sent are not trusted. Mark them as trusted by setting `trust #{list}`"
12
+ end
13
+ end
14
+
15
+ def self.included(base)
16
+ base.hide_action :accessible_attributes
17
+ base.extend ClassMethods
18
+ super
19
+ end
20
+
21
+ module ClassMethods
22
+ def trust(*attributes)
23
+ before_filter do |controller|
24
+ controller.accessible_attributes.concat(attributes)
25
+ end
26
+ end
27
+ end
28
+
29
+ def accessible_attributes
30
+ @_accessible_attributes ||= []
31
+ end
32
+
33
+ private
34
+
35
+ def trust(*attributes)
36
+ accessible_attributes.concat(attributes)
37
+ end
38
+
39
+ def attributes
40
+ # Be helpful and raise an exception when non trusted attributes are sent
41
+ unless Rails.env.production?
42
+ diff = params[attributes_key].keys.map(&:to_sym) - accessible_attributes
43
+ raise UntrustedAttributesError.new(diff) unless diff.empty?
44
+ end
45
+
46
+ params[attributes_key].slice(*accessible_attributes)
47
+ end
48
+
49
+ def attributes_key
50
+ params["controller"].split('/').last.singularize
51
+ end
52
+ end
@@ -0,0 +1,3 @@
1
+ module TrustedAttributes
2
+ VERSION = "0.1.0"
3
+ end
@@ -0,0 +1,19 @@
1
+ # -*- encoding: utf-8 -*-
2
+ require File.expand_path('../lib/trusted_attributes/version', __FILE__)
3
+
4
+ Gem::Specification.new do |gem|
5
+ gem.authors = ["Ivan Navarrete and Jonas Nicklas"]
6
+ gem.email = ["dev@elabs.se"]
7
+ gem.description = %q{Mass assignment security in your controller, yo}
8
+ gem.summary = %q{Mass assignment security in your controller}
9
+ gem.homepage = ""
10
+
11
+ gem.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
12
+ gem.files = `git ls-files`.split("\n")
13
+ gem.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
14
+ gem.name = "trusted_attributes"
15
+ gem.require_paths = ["lib"]
16
+ gem.version = TrustedAttributes::VERSION
17
+
18
+ gem.add_runtime_dependency "rails", ["~> 3.0"]
19
+ end
metadata ADDED
@@ -0,0 +1,64 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: trusted_attributes
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ prerelease:
6
+ platform: ruby
7
+ authors:
8
+ - Ivan Navarrete and Jonas Nicklas
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2012-03-06 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: rails
16
+ requirement: &2169305900 !ruby/object:Gem::Requirement
17
+ none: false
18
+ requirements:
19
+ - - ~>
20
+ - !ruby/object:Gem::Version
21
+ version: '3.0'
22
+ type: :runtime
23
+ prerelease: false
24
+ version_requirements: *2169305900
25
+ description: Mass assignment security in your controller, yo
26
+ email:
27
+ - dev@elabs.se
28
+ executables: []
29
+ extensions: []
30
+ extra_rdoc_files: []
31
+ files:
32
+ - .gitignore
33
+ - Gemfile
34
+ - README.md
35
+ - Rakefile
36
+ - lib/trusted_attributes.rb
37
+ - lib/trusted_attributes/version.rb
38
+ - trusted_attributes.gemspec
39
+ homepage: ''
40
+ licenses: []
41
+ post_install_message:
42
+ rdoc_options: []
43
+ require_paths:
44
+ - lib
45
+ required_ruby_version: !ruby/object:Gem::Requirement
46
+ none: false
47
+ requirements:
48
+ - - ! '>='
49
+ - !ruby/object:Gem::Version
50
+ version: '0'
51
+ required_rubygems_version: !ruby/object:Gem::Requirement
52
+ none: false
53
+ requirements:
54
+ - - ! '>='
55
+ - !ruby/object:Gem::Version
56
+ version: '0'
57
+ requirements: []
58
+ rubyforge_project:
59
+ rubygems_version: 1.8.10
60
+ signing_key:
61
+ specification_version: 3
62
+ summary: Mass assignment security in your controller
63
+ test_files: []
64
+ has_rdoc: