lib/param_protected/constants.rb lib/param_protected/controller_modifications.rb lib/param_protected/meta_class.rb lib/param_protected/protector.rb test/protector_test.rb @@ -1,3 +1,8 @@ +09/12/2009 +---------- +* Restructured and reorganized. Now the majority of the work is done in the Protector class. This minimizes the amount of methods / instance variables that clutter the controllers. +* The filtering is done in ActionController::Base#params now, instead of as a before filter. This eliminates the caveat of before filters declared after param_protected/param_accessible calls having access to the unprotected params. + 09/11/2009 ---------- * Refactored tests to use plugin_test_helper. CHANGELOG @@ -1,6 +1,14 @@ = Summary This plugin provides two class methods on <tt>ActiveController::Base</tt> that filter the <tt>params</tt> hash for that controller's actions. You can think of them as the controller analog of <tt>attr_protected</tt> and <tt>attr_accessible</tt>. += Installation + +Put in your <tt>environment.rb</tt> file... + + config.gem "cjbottaro-param_protected", :lib => "param_protected", :source => "http://gems.github.com" + +Alternatively, just install the gem from the command line and <tt>require "param_protected"</tt> somewhere in your project. + = Usage class YourController < ActiveController::Base param_protected <param_name> <options> @@ -29,13 +37,13 @@ Any of these combinations should work. param_accessible :client_id, :except => [:your_action, :my_action] == Nested Params -You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find's -:include argument works. +You can use combinations of arrays and hashes to specify nested params, much the same way <tt>ActiveRecord::Base#find</tt>'s +<tt>:include</tt> argument works. param_accessible [:account_name, { :user => [:first_name, :last_name, :address => [:street, :city, :state]] }] param_protected [:id, :password, { :user => [:id, :password] }] -== Caveats -Both <tt>param_protected</tt> and <tt>param_accessible</tt> are really just calls to <tt>prepend_before_filter</tt>. Thus any methods in your filter chain that run before either of these methods will have full access to the <em>unprotected</em> <tt>params</tt> Hash. += How does it work? +It does an <tt>alias_method_chain</tt> on <tt>ActionController::Base#params</tt> that filters (and caches) the params. You can get the unfiltered, pristine params by calling <tt>ActionController::Base#params_without_protection</tt>. = Author Christopher J. Bottaro \ No newline at end of file README.rdoc @@ -31,6 +31,6 @@ Rake::RDocTask.new(:rdoc) do |rdoc| rdoc.rdoc_dir = 'rdoc' rdoc.title = 'ParamProtected' rdoc.options << '--line-numbers' << '--inline-source' - rdoc.rdoc_files.include('README') + rdoc.rdoc_files.include('README.rdoc') rdoc.rdoc_files.include('lib/**/*.rb') end Rakefile @@ -1,121 +1,6 @@ -# paramProtected +require "param_protected/meta_class" +require "param_protected/constants" +require "param_protected/protector" +require "param_protected/controller_modifications" -module Cjbottaro - - module ParamProtected - - def self.extended(klass) - klass.class_eval do - include InstanceMethods - end - end - - def param_protected(params, actions = nil) - Helpers.init_storage(self) - params = Helpers.normalize_params(params) - actions = Helpers.normalize_actions(actions) - self.pp_protected << [params, actions] - skip_before_filter :do_param_protected - prepend_before_filter :do_param_protected - end - - def param_accessible(params, actions = nil) - Helpers.init_storage(self) - params = Helpers.normalize_params(params) - actions = Helpers.normalize_actions(actions) - self.pp_accessible << [params, actions] - skip_before_filter :do_param_accessible - prepend_before_filter :do_param_accessible - end - - module InstanceMethods - - def do_param_protected - self.class.pp_protected.each do |protected_params, actions| - scope, actions = actions.first, actions[1..-1] - Helpers.do_param_protected(protected_params, self.params) \ - if Helpers.action_matches?(scope, actions, self.action_name) - end - end - - def do_param_accessible - self.class.pp_accessible.each do |accessible_params, actions| - scope, actions = actions.first, actions[1..-1] - Helpers.do_param_accessible(accessible_params, self.params) \ - if Helpers.action_matches?(scope, actions, self.action_name) - end - end - - end - - module Helpers - - def self.init_storage(klass) - class << klass - attr_accessor :pp_protected, :pp_accessible - end - klass.pp_protected = [] if klass.pp_protected.nil? - klass.pp_accessible = [] if klass.pp_accessible.nil? - end - - def self.normalize_params(params, params_out = {}) - if params.instance_of?(Array) - params.each{ |param| normalize_params(param, params_out) } - elsif params.instance_of?(Hash) - params.each do |k, v| - k = k.to_s - params_out[k] = {} - normalize_params(v, params_out[k]) - end - else - params_out[params.to_s] = nil - end - params_out - end - - def self.normalize_actions(actions) - error_message = "invalid actions, use :only => ..., :except => ..., or nil" - return [:except, nil] if actions.blank? - raise ArgumentError, error_message unless actions.instance_of?(Hash) - raise ArgumentError, error_message unless actions.length == 1 - raise ArgumentError, error_message unless [:only, :except].include?(actions.keys.first) - - scope, actions = actions.keys.first, actions.values.first - actions = [actions] unless actions.instance_of?(Array) - actions = actions.collect{ |action| action.to_s } - [scope, *actions] - end - - def self.action_matches?(scope, valid_actions, action_name) - if scope == :only - valid_actions.include?(action_name) - elsif scope == :except - !valid_actions.include?(action_name) - else - raise ArgumentError, "unexpected scope (#{scope}), expected :only or :except" - end - end - - def self.do_param_protected(protected_params, params) - return unless params.kind_of?(Hash) - return if protected_params.nil? - params.delete_if{ |k, v| protected_params.has_key?(k) and protected_params[k].nil? } - params.each{ |k, v| do_param_protected(protected_params[k], v) } - params - end - - def self.do_param_accessible(accessible_params, params) - return unless params.kind_of?(Hash) - return if accessible_params.nil? - params.delete_if{ |k, v| !accessible_params.has_key?(k) } - params.each{ |k, v| do_param_accessible(accessible_params[k], v) } - params - end - - end - - end - -end - -ActionController::Base.extend Cjbottaro::ParamProtected \ No newline at end of file +ActionController::Base.extend(ParamProtected::ControllerModifications) \ No newline at end of file lib/param_protected.rb test/app_root/log/in_memory.log test/helpers_test.rb 4cab0dc5e68e8c6d20d24a3fc8f258bfd860b80a cjbottaro cjbottaro@alumni.cs.utexas.edu http://github.com/cjbottaro/param_protected/commit/1f4327a1cfda116d47db96406d83a0fba870f459 1f4327a1cfda116d47db96406d83a0fba870f459 2009-09-12T12:43:51-07:00 2009-09-12T12:43:51-07:00 Refactored bulk of the implementation into the Protector class. Moved filtering of params from a before_filter implementation to alias method chaining ActionController::Base#params. 83e2d3ae06a2e5e17f06cc5b7407d45be15370e6 cjbottaro cjbottaro@alumni.cs.utexas.edu