joe / merb-plugins fork watch download tarball
public
Fork of wycats/merb-plugins
Description: Merb Plugins: Even more modules to hook up your Merb installation
Homepage: http://www.merbivore.com
Clone URL: git://github.com/joe/merb-plugins.git
merb-plugins / merb_param_protection
name age
history
message
..
file LICENSE Wed Jan 09 11:25:39 -0800 2008 Merb Param Protection plugin added to core plugins [lancecarlson@gmail.com]
file README Wed Apr 23 13:10:27 -0700 2008 add log_params_filtered controller method to al... [atmos]
file Rakefile Sun Sep 28 07:09:44 -0700 2008 Better Rakefile spec runner [fabien]
file TODO Thu Jan 10 17:32:40 -0800 2008 Updated TODO [lancecarlson@gmail.com]
directory lib/ Wed Sep 24 12:53:23 -0700 2008 Added spec to check for accidently exposed cont... [fabien]
directory log/ Wed Jan 09 11:25:39 -0800 2008 Merb Param Protection plugin added to core plugins [lancecarlson@gmail.com]
directory script/ Wed Jan 09 11:25:39 -0800 2008 Merb Param Protection plugin added to core plugins [lancecarlson@gmail.com]
directory spec/ Thu Oct 02 06:08:00 -0700 2008 If Merb.env?(:test) we don't need ugly = true ... [fabien]
README
merb_param_protection
=================

This plugin exposes three new controller methods which allow us to simply and flexibly filter the parameters available 
within the controller.

Setup:
The request sets: 

  params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } }

  Example 1: params_accessable
  MyController < Application
    params_accessible :post => [:title, :body]
  end

  params.inspect # => { :post => { :title => "ello", :body => "Want it" } }

So we see that params_accessible removes everything except what is explictly specified.

  Example 2: params_protected
  MyOtherController < Application
    params_protected :post => [:status, :author_id]
  end

  params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } }

We also see that params_protected removes ONLY those parameters explicitly specified.

Sometimes you have certain post parameters that are best left unlogged, we support that too.  Your
actions continue to receive the variable correctly, but the requested parameters are scrubbed
at log time.

  MySuperDuperController < Application
    log_params_filtered :password
  end
  
  params.inspect # => { :username => 'atmos', :password => '[FILTERED]' }