@@ -1,3 +1,9 @@ +03/17/2009 +---------- +* more sane way to specify nested parameters (honestly, I don't know what I was thinking before) +* the old method of specifying nested parameters ("user/first_name", "user/last_name") DOES NOT WORK ANYMORE. +* changed param_protected/param_accessible's :exclude argument to :except to better fit in with Rails + 07/16/2008 ---------- * rewrote the entire plugin (it should actually work now) \ No newline at end of file CHANGELOG @@ -25,44 +25,20 @@ Any of these combinations should work. param_protected :client_id param_protected [:client_id, :user_id] param_protected :client_id, :only => 'my_action' - param_protected :client_id, :exclude => [:your_action, :my_action] + param_protected :client_id, :except => [:your_action, :my_action] == Whitelisting Any of these combinations should work. param_accessible :client_id param_accessible :[:client_id, :user_id] param_accessible :client_id, :only => 'my_action' - param_accessible :client_id, :exclude => [:your_action, :my_action] + param_accessible :client_id, :except => [:your_action, :my_action] == Nested Params -There is a language to protect nested params, but it has some caveats. - - param_protected 'user/fname' -<tt>params[:user][:fname]</tt> will be removed, but <tt>params[:user][:client_id]</tt> won't (or anything else for that matter.) - - param_protected 'user' -This works as expected... it removes <tt>params[:user]</tt>, even if it is a Hash. - - param_accessible 'user/fname' -This will filter <tt>params[:user][:lname]</tt> and anything that is not <tt>params[:user][:fname]</tt>. - - param_accessible 'user' -This has no effect if <tt>params[:user]</tt> is a Hash. - -== Array Params -If you have an array of params like - params[:person][:nicknames][0] - params[:person][:nicknames][1] - ... - params[:person][:nicknames][n] - -You can remove all of them by saying - param_protected 'person/nicknames' - -<tt>param_accessible</tt> also works with array params. +You can use combinations of arrays and hashes to specify nested params, much the same way ActiveRecord::Base#find's +:include argument works. + param_accessible [:account_name, :user => [:first_name, :last_name, :address => [:street, :city, :state]]] + param_protected [:id, :password, :user => [:id, :password]] == Caveats Both <tt>param_protected</tt> and <tt>param_accessible</tt> are really just calls to <tt>prepend_before_filter</tt>. Thus any methods in your filter chain that run before either of these methods will have full access to the <em>unprotected</em> <tt>params</tt> Hash. - -== Notes -You should be able to see all the parameters that have been filtered out in your log (log level info). They get printed out directly after the 'Parameters:' line. \ No newline at end of file README.rdoc @@ -31,24 +31,21 @@ module Cjbottaro module InstanceMethods def do_param_protected - params_to_kill = Helpers.params_to_live_or_kill(self.class.pp_protected, action_name.to_s,self) - params_by_path = Helpers.params_by_path(params) - params_to_kill.each do |param| - next unless params_by_path.has_key?(param) - params_by_path[param].each { |h, v| h.delete(v) } + self.class.pp_protected.each do |protected_params, actions| + scope, actions = actions.first, actions[1..-1] + Helpers.do_param_protected(protected_params, self.params) \ + if Helpers.action_matches?(scope, actions, self.action_name) end end def do_param_accessible - params_to_live = Helpers.params_to_live_or_kill(self.class.pp_accessible, action_name.to_s,self) - return if params_to_live.blank? - params_by_path = Helpers.params_by_path(params) - params_by_path.each do |path, hash| - next if params_to_live.include?(path) - hash.each { |h, v| h.delete(v) } + self.class.pp_accessible.each do |accessible_params, actions| + scope, actions = actions.first, actions[1..-1] + Helpers.do_param_accessible(accessible_params, self.params) \ + if Helpers.action_matches?(scope, actions, self.action_name) end end - + end module Helpers @@ -61,71 +58,62 @@ module Cjbottaro klass.pp_accessible = [] if klass.pp_accessible.nil? end - def self.normalize_params(params) - params = [params] unless params.instance_of?(Array) - params.collect{ |param| param.to_s } + def self.normalize_params(params, params_out = {}) + if params.instance_of?(Array) + params.each{ |param| normalize_params(param, params_out) } + elsif params.instance_of?(Hash) + params.each do |k, v| + k = k.to_s + params_out[k] = {} + normalize_params(v, params_out[k]) + end + else + params_out[params.to_s] = nil + end + params_out end def self.normalize_actions(actions) - return [:except] if actions.blank? + error_message = "invalid actions, use :only => ..., :except => ..., or nil" + return [:except, nil] if actions.blank? + raise ArgumentError, error_message unless actions.instance_of?(Hash) + raise ArgumentError, error_message unless actions.length == 1 + raise ArgumentError, error_message unless [:only, :except].include?(actions.keys.first) + scope, actions = actions.keys.first, actions.values.first actions = [actions] unless actions.instance_of?(Array) - actions = actions.collect{ |action| action.to_s } unless actions.first.instance_of?(Proc) + actions = actions.collect{ |action| action.to_s } [scope, *actions] end - # specs will something like... - # [[param1, param2], [:only, action1, action2] - # [param2, param3], [:except, action3, action4]] - def self.params_to_live_or_kill(specs, action, controller) - specs.inject([]) do |memo, params_actions| - params, actions = params_actions - scope = actions.first # actions is a reference to a part of pp_protected or pp_accessible, so we don't want to alter it - actions = case actions[1] - when Array - actions[1..-1] - when Proc - actions[1].bind(controller).call() - else - [] - end - memo += params if scope == :only and actions.include?(action) - memo += params if scope == :except and !actions.include?(action) - memo + def self.action_matches?(scope, valid_actions, action_name) + if scope == :only + valid_actions.include?(action_name) + elsif scope == :except + !valid_actions.include?(action_name) + else + raise ArgumentError, "unexpected scope (#{scope}), expected :only or :except" end end - - # Takes a params hash and returns a hash where the keys are an xpath like string and the values are the - # information needed to remove the entry from the inputted params hash. - # Examples: - # params = { :user => {:first => 'calia', :last => 'rose' } } - # params_by_xpathy(params) => { 'user' => [[params, :user]], - # 'user/first' => [[params[:user], :first]], - # 'user/last' => [[params[:user], :last]] } - # Notice the values are arrays of doubles. That's so we can properly filter on params that are arrays, like so: - # params = { :users => [ {:first => 'calia', :last => 'rose'}, - # {:first => 'coco', :last => 'rae' } ] } - # params_by_xpathy(params) => { 'users' => [[params, :user]], - # 'users/first' => [[params[:user][0], :first], [params[:user][1], :first]], - # 'users/last' => [[params[:user][0], :last ], [params[:user][0], :last ]] } - # Now if we want to protect parameter 'users/first', we can simply do... - # params_by_xpathy(params)['users/first'].each { |h, v| h.delete(v) } - def self.params_by_path(node, path_so_far = '', result = {}) - node.each do |k, v| - path = path_so_far.blank? ? k.to_s : path_so_far + "/#{k}" - result[path] ||= [] - result[path] << [node, k] - if v.is_a?(Hash) - params_by_path(v, path, result) - elsif v.is_a?(Array) - v.each{ |e| params_by_path(e, path, result) } - end - end - return result + + def self.do_param_protected(protected_params, params) + return unless params.kind_of?(Hash) + return if protected_params.nil? + params.delete_if{ |k, v| protected_params.has_key?(k) and protected_params[k].nil? } + params.each{ |k, v| do_param_protected(protected_params[k], v) } + params + end + + def self.do_param_accessible(accessible_params, params) + return unless params.kind_of?(Hash) + return if accessible_params.nil? + params.delete_if{ |k, v| !accessible_params.has_key?(k) } + params.each{ |k, v| do_param_accessible(accessible_params[k], v) } + params end end - + end - + end \ No newline at end of file lib/param_protected.rb @@ -1,94 +1,126 @@ require File.dirname(__FILE__) + '/../../../../test/test_helper' -require File.dirname(__FILE__) + '/../init.rb' -class FakeController < ActionController::Base - - def fake_action1 - render :text => '' - end - - def fake_action2 - render :text => '' - end - - def fake_action3 - render :text => '' - end +class HelpersTest < Test::Unit::TestCase - protected - - def rescue_action(e) - raise e + # a little aliasing so I don't have to type so much. + Helpers = Cjbottaro::ParamProtected::Helpers + + def test_normalize_params + params = Helpers.normalize_params(:something) + assert_equal({"something" => nil}, params) + + params = Helpers.normalize_params([:something, :else]) + assert_equal({"something" => nil, "else" => nil}, params) + + params = Helpers.normalize_params(:something => [:stuff, :blah]) + assert_equal({"something" => {"stuff" => nil, "blah" => nil}}, params) + + params = Helpers.normalize_params(:something => [:stuff, {:blah => :bleck}]) + assert_equal({"something" => {"stuff" => nil, "blah" => {"bleck" => nil}}}, params) end - -end - -class HelpersTest < Test::Unit::TestCase - - def setup - class << FakeController - attr_accessor :pp_protected, :pp_accessible - end - FakeController.pp_protected = [] - FakeController.pp_accessible = [] - @controller = FakeController.new - @request = ActionController::TestRequest.new - @response = ActionController::TestResponse.new + + def test_normalize_actions + actions = Helpers.normalize_actions(nil) + assert_equal [:except, nil], actions + + actions = Helpers.normalize_actions(:only => :blah) + assert_equal [:only, "blah"], actions + + actions = Helpers.normalize_actions(:only => [:blah, :bleck]) + assert_equal [:only, "blah", "bleck"], actions + + actions = Helpers.normalize_actions(:except => :blah) + assert_equal [:except, "blah"], actions + + actions = Helpers.normalize_actions(:except => [:blah, :bleck]) + assert_equal [:except, "blah", "bleck"], actions + + assert_raises(ArgumentError){ Helpers.normalize_actions(:onlyy => :blah) } + assert_raises(ArgumentError){ Helpers.normalize_actions(:blah) } + assert_raises(ArgumentError){ Helpers.normalize_actions(:only => :something, :except => :something) } end - def test_the_xpathy_thing - params = { - :scalar => 'test', - :user => { :name => { :fname => 'chris', :lname => 'bottaro'}, - :id => 1 }, - :pets => [ {:fname => 'calia', :mname => 'rose'}, - {:fname => 'coco', :mname => 'rae' } ] - } - expected_xpathy_thing = { - 'scalar' => [[params, :scalar]], - 'user' => [[params, :user]], - 'user/name' => [[params[:user], :name]], - 'user/name/fname' => [[params[:user][:name], :fname]], - 'user/name/lname' => [[params[:user][:name], :lname]], - 'user/id' => [[params[:user], :id]], - 'pets' => [[params, :pets]], - 'pets/fname' => [[params[:pets][0], :fname], [params[:pets][1], :fname]], - 'pets/mname' => [[params[:pets][0], :mname], [params[:pets][1], :mname]] - } - xpathy_thing = Cjbottaro::ParamProtected::Helpers.params_by_path(params) - assert_equal expected_xpathy_thing, xpathy_thing + def test_action_matches + assert Helpers.action_matches?(:only, ["blah", "bleck"], "blah") + assert Helpers.action_matches?(:only, ["blah", "bleck"], "bleck") + assert !Helpers.action_matches?(:only, ["blah", "bleck"], "not") + + assert !Helpers.action_matches?(:except, ["blah", "bleck"], "blah") + assert !Helpers.action_matches?(:except, ["blah", "bleck"], "bleck") + assert Helpers.action_matches?(:except, ["blah", "bleck"], "not") + + assert_raises(ArgumentError){ Helpers.action_matches?(:bad_scope, ["blah", "bleck"], "not") } end - - def test_accessible_map - expected_map = [] + + def test_do_param_accessible - FakeController.param_accessible :user_id - expected_map << [['user_id'], [:except]] - assert_equal expected_map, FakeController.pp_accessible + accessible_params = { :account_id => nil, + :user_id => nil } + params = { :account_id => 123, + :user_id => 456, + :profile_id => 789 } + expected_results = { :account_id => 123, + :user_id => 456 } + assert_equal expected_results, Helpers.do_param_accessible(accessible_params, params) - FakeController.param_accessible :client_id - expected_map << [['client_id'], [:except]] - assert_equal expected_map, FakeController.pp_accessible + accessible_params = { :account_id => nil, + :user => nil } + params = { :account_id => 123, + :user => { :first_name => "christopher", :last_name => "bottaro" }, + :profile_ids => [789, 987] } + expected_results = { :account_id => 123, + :user => { :first_name => "christopher", :last_name => "bottaro"} } + assert_equal expected_results, Helpers.do_param_accessible(accessible_params, params) - FakeController.param_accessible :account_id, :only => :fake_action1 - expected_map << [['account_id'], [:only, 'fake_action1']] - assert_equal expected_map, FakeController.pp_accessible + accessible_params = { :account_id => nil, + :user => {:first_name => nil, :last_name => nil} } + params = { :account_id => 123, + :user => { :first_name => "christopher", :last_name => "bottaro", :middle_name => "james" }, + :profile_ids => [789, 987] } + expected_results = { :account_id => 123, + :user => { :first_name => "christopher", :last_name => "bottaro"} } + assert_equal expected_results, Helpers.do_param_accessible(accessible_params, params) - FakeController.param_accessible :account_id, :except => :fake_action1 - expected_map << [['account_id'], [:except, 'fake_action1']] - assert_equal expected_map, FakeController.pp_accessible + accessible_params = { :account_id => nil, + :user => {:name => {:first => nil, :last => nil}} } + params = { :account_id => 123, + :user => { :city => "Austin", + :name => {:first => "christopher", :last => "bottaro", :middle => "james"} }, + :profile_ids => [789, 987] } + expected_results = { :account_id => 123, + :user => { :name => {:first => "christopher", :last => "bottaro"} } } + assert_equal expected_results, Helpers.do_param_accessible(accessible_params, params) end - def test_accessible_map_with_arrays - expected_map = [] + def test_do_param_protected - FakeController.param_accessible [:user_id, :client_id], :only => [:fake_action1, :fake_action2] - expected_map << [['user_id', 'client_id'], [:only, 'fake_action1', 'fake_action2']] - assert_equal expected_map, FakeController.pp_accessible + protected_params = { :account_id => nil, + :user => nil } + params = { :account_id => 123, + :user => { :first_name => "christopher", :last_name => "bottaro" }, + :profile_ids => [789, 987] } + expected_results = { :profile_ids => [789, 987] } + assert_equal expected_results, Helpers.do_param_protected(protected_params, params) - FakeController.param_accessible [:user_id, :client_id], :except => [:fake_action1, :fake_action2] - expected_map << [['user_id', 'client_id'], [:except, 'fake_action1', 'fake_action2']] - assert_equal expected_map, FakeController.pp_accessible + protected_params = { :account_id => nil, + :user => {:middle_name => nil} } + params = { :account_id => 123, + :user => { :first_name => "christopher", :last_name => "bottaro", :middle_name => "james" }, + :profile_ids => [789, 987] } + expected_results = { :user => {:first_name => "christopher", :last_name => "bottaro"}, + :profile_ids => [789, 987] } + assert_equal expected_results, Helpers.do_param_protected(protected_params, params) + + protected_params = { :account_id => nil, + :user => {:name => {:middle => nil}} } + params = { :account_id => 123, + :user => { :city => "Austin", + :name => {:first => "christopher", :last => "bottaro", :middle => "james"} }, + :profile_ids => [789, 987] } + expected_results = { :profile_ids => [789, 987], + :user => { :city => "Austin", + :name => {:first => "christopher", :last => "bottaro"} } } + assert_equal expected_results, Helpers.do_param_protected(protected_params, params) end - + end test/helpers_test.rb @@ -184,7 +184,7 @@ class ParamAccessibleTest < Test::Unit::TestCase end def test_nested - @controller.class.param_accessible ['user', 'user/user_id'], :only => :fake_action1 + @controller.class.param_accessible({:user => :user_id}, :only => :fake_action1) get :fake_action1, :user => { :user_id => 123, :good_id => 321 }, :user_id => 456, :good_id => 789 assert @controller.params[:user].has_key?(:user_id) == true @@ -211,8 +211,8 @@ class ParamAccessibleTest < Test::Unit::TestCase get :fake_action1, :user => { :user_id => 123, :good_id => 321 }, :user_id => 456, :good_id => 789 assert @controller.params.has_key?(:user) == true - assert @controller.params[:user].has_key?(:user_id) == false - assert @controller.params[:user].has_key?(:good_id) == false + assert @controller.params[:user].has_key?(:user_id) == true + assert @controller.params[:user].has_key?(:good_id) == true assert @controller.params.has_key?(:user_id) == false assert @controller.params.has_key?(:good_id) == false @@ -228,5 +228,5 @@ class ParamAccessibleTest < Test::Unit::TestCase assert @controller.params.has_key?(:user_id) == true assert @controller.params.has_key?(:good_id) == true end - + end test/param_accessible_test.rb @@ -158,7 +158,7 @@ class ParamProtectedTest < Test::Unit::TestCase end def test_nested - @controller.class.param_protected 'user/user_id', :only => :fake_action1 + @controller.class.param_protected({:user => :user_id}, :only => :fake_action1) get :fake_action1, :user => { :user_id => 123, :good_id => 321 }, :user_id => 456, :good_id => 789 assert @controller.params[:user].has_key?(:user_id) == false test/param_protected_test.rb 317ee309a7a1c4a542fb207f479403a6f9d39def Scott Diedrick swalterd@gmail.com http://github.com/mumboe/param_protected/commit/32d6260d9439069e1e434428051560561373bf72 32d6260d9439069e1e434428051560561373bf72 2009-03-28T16:47:25-07:00 2009-03-28T16:47:25-07:00 Porting over changes made by cjbottaro. I will add back Proc support in the next commit. 47f3f64ac453034a6a953aed5eed51ae3d5a61b6 Scott Diedrick swalterd@gmail.com