Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Simple dynamic configuration of mass-assignment security (attr_protected/attr_accessible)
Ruby
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
spec
.gitignore
Gemfile
README.rdoc
Rakefile
expose.gemspec

README.rdoc

This gem is no longer maintained.

Expose

Expose allows you to dynamically adjust the 'attr_accessible' or 'attr_protected' of a model. This is only for managing mass-assignment security, and not overall security.

Model

The following would let you mass_assign :sometimes_important when the :state
is 'new' or 'pending'.

class Account < ActiveRecord::Base
  include Expose::Model

  # name:string
  # sometimes_important:string
  # state:string ... example [:new, :pending, :closed]

  expose :sometimes_important,
    :if => Proc.new { |account| [:new,:pending].include?(account.state) }

  # same result as line above (just using)
  expose :sometimes_important, :state => [:new, :pending]

  # similar to line above
  expose :sometimes_important,
    :unless => Proc.new { |account| [:closed].include?(account.state) }

  # same as line above
  expose :sometimes_important, :not_state => :closed

  # using whitelist strategy
  attr_accessible :name

  # OR, using blacklist strategy
  # attr_protected :sometimes_important 

end

Notes

This gem has only been tested with Rails 3.1.rc3, but should work with Rails 3.X. It only uses the hook :mass_assignment_authorizer.

Todo

This gem is in the early stages of development, so use at your own risk.

Plans/Ideas:

- add 'protect' version, which does the opposite of 'expose'
- maybe disable attr_protected.  Using this gem shows an interest in
  mass-assignment security.  Why not ensure use of a whitelist only
  strategy.
- add controller version (so that session data can be used, ie: role of
  logged in user)
- add better error handling and option checking, maybe add some logging
- do not require ActiveRecord, but rather ActiveModel
- not require adding 'include Expose::Model'.  When I do, the class variable
  '_exposures' is shared by all subclasses of ActiveRecord::Base, and each
  declared model then sees the same '_exposures'.

Installation

Install the gem:

gem install expose

Or add Expose to your Gemfile and bundle it up:

gem 'expose'

Options

'expose' handles a series of options. Those are:

  • :if * - When true, the attribute will be added to whitelist.

  • :unless * - When false, the attribute will be added to whitelist.

  • :state * - When in this state, the attribute will be added to whitelist.

  • :not_state * - When not in this state, the attribute will be added to whitelist.

Maintainers

Contributors

  • you

Influence

Bugs and Feedback

If you discover any bugs or want to drop a line, feel free to create an issue on GitHub.

github.com/attack/expose/issues

MIT License. Copyright 2011 Mark G. github.com/attack

Something went wrong with that request. Please try again.