Simple dynamic configuration of mass-assignment security (attr_protected/attr_accessible)
Ruby
Switch branches/tags
Nothing to show
Latest commit 6027e16 Jan 5, 2014 @attack Info: no longer maintained
Permalink
Failed to load latest commit information.
lib check for _exposures Jul 13, 2011
spec add directory for test db Jun 20, 2011
.gitignore add directory for test db Jun 20, 2011
Gemfile Initial commit, bundler generated files Jun 18, 2011
README.rdoc
Rakefile get initial version working, prep for 0.1 release, tested with rspec Jun 20, 2011
expose.gemspec update description Jun 20, 2011

README.rdoc

This gem is no longer maintained.

Expose

Expose allows you to dynamically adjust the 'attr_accessible' or 'attr_protected' of a model. This is only for managing mass-assignment security, and not overall security.

Model

The following would let you mass_assign :sometimes_important when the :state
is 'new' or 'pending'.

class Account < ActiveRecord::Base
  include Expose::Model

  # name:string
  # sometimes_important:string
  # state:string ... example [:new, :pending, :closed]

  expose :sometimes_important,
    :if => Proc.new { |account| [:new,:pending].include?(account.state) }

  # same result as line above (just using)
  expose :sometimes_important, :state => [:new, :pending]

  # similar to line above
  expose :sometimes_important,
    :unless => Proc.new { |account| [:closed].include?(account.state) }

  # same as line above
  expose :sometimes_important, :not_state => :closed

  # using whitelist strategy
  attr_accessible :name

  # OR, using blacklist strategy
  # attr_protected :sometimes_important 

end

Notes

This gem has only been tested with Rails 3.1.rc3, but should work with Rails 3.X. It only uses the hook :mass_assignment_authorizer.

Todo

This gem is in the early stages of development, so use at your own risk.

Plans/Ideas:

- add 'protect' version, which does the opposite of 'expose'
- maybe disable attr_protected.  Using this gem shows an interest in
  mass-assignment security.  Why not ensure use of a whitelist only
  strategy.
- add controller version (so that session data can be used, ie: role of
  logged in user)
- add better error handling and option checking, maybe add some logging
- do not require ActiveRecord, but rather ActiveModel
- not require adding 'include Expose::Model'.  When I do, the class variable
  '_exposures' is shared by all subclasses of ActiveRecord::Base, and each
  declared model then sees the same '_exposures'.

Installation

Install the gem:

gem install expose

Or add Expose to your Gemfile and bundle it up:

gem 'expose'

Options

'expose' handles a series of options. Those are:

  • :if * - When true, the attribute will be added to whitelist.

  • :unless * - When false, the attribute will be added to whitelist.

  • :state * - When in this state, the attribute will be added to whitelist.

  • :not_state * - When not in this state, the attribute will be added to whitelist.

Maintainers

Contributors

  • you

Influence

Bugs and Feedback

If you discover any bugs or want to drop a line, feel free to create an issue on GitHub.

github.com/attack/expose/issues

MIT License. Copyright 2011 Mark G. github.com/attack