Permalink
Browse files

initial import

  • Loading branch information...
0 parents commit c0938b8afad316a88c3f9e5690411761a87d6363 @ryanb committed Jun 1, 2009
Showing with 109 additions and 0 deletions.
  1. +20 −0 LICENSE
  2. +52 −0 README
  3. +4 −0 Rakefile
  4. +2 −0 lib/trusted_params.rb
  5. +9 −0 lib/trusted_params/hash_additions.rb
  6. +9 −0 spec/spec_helper.rb
  7. +4 −0 spec/trusted_params/hash_additions_spec.rb
  8. +9 −0 tasks/spec.rake
20 LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2009 Ryan Bates
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
52 README
@@ -0,0 +1,52 @@
+= Trusted Params
+
+Rails plugin which assumes the params hash is dangerous unless otherwise specified.
+
+IMPORTANT: not all of the functionality in this readme has been implemented yet.
+
+
+== Install
+
+You can install this as a plugin into your Rails app.
+
+ script/plugin install git://github.com/ryanb/trusted-params.git
+
+
+== Features
+
+This plugin does several things.
+
+* Disables attr_protected because you should use attr_accessible.
+* Enables attr_accessible by default (this does not allow normal mass assignment)
+* Raise an exception when assign a protected attribute
+* Adds :all as a possible option to attr_accessible to allow all attributes to be mass-assignable
+* Adds "trust" method to the params hash to bypass certain attributes
+
+
+== Usage
+
+When using this plugin, you must define attr_accessible in every model to allow mass assignment. You can use :all to mark all attributes as accessible.
+
+ class Comment < ActiveRecord::Base
+ attr_accessible :all
+ end
+
+However, only do this if you want all attributes accessible to the public. Many times you will want to limit what the general public can set.
+
+ class Comment < ActiveRecord::Base
+ attr_accessible :author_name, :email, :content
+ end
+
+Now what if we have administrators who can also manage the model? They should be able to bypass the protected attributes and set anything. This can be done with the "trust" method.
+
+ def create
+ params[:comment].trust if admin?
+ @comment = Comment.new(params[:comment])
+ # ...
+ end
+
+You can mark certain attributes as trusted for different roles
+
+ params[:comment].trust(:spam, :important) if moderator?
+
+Then only those attributes will be allowed to bypass mass assignment.
4 Rakefile
@@ -0,0 +1,4 @@
+require 'rubygems'
+require 'rake'
+
+Dir["#{File.dirname(__FILE__)}/tasks/*.rake"].sort.each { |ext| load ext }
2 lib/trusted_params.rb
@@ -0,0 +1,2 @@
+$:.unshift(File.dirname(__FILE__))
+require 'trusted_params/hash_additions'
9 lib/trusted_params/hash_additions.rb
@@ -0,0 +1,9 @@
+module TrustedParams
+ module HashAdditions
+
+ end
+end
+
+class Hash
+ include TrustedParams::HashAdditions
+end
9 spec/spec_helper.rb
@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'spec'
+require 'active_support'
+require 'active_record'
+require File.dirname(__FILE__) + '/../lib/trusted_params.rb'
+
+Spec::Runner.configure do |config|
+ config.mock_with :rr
+end
4 spec/trusted_params/hash_additions_spec.rb
@@ -0,0 +1,4 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe Hash do
+end
9 tasks/spec.rake
@@ -0,0 +1,9 @@
+require 'spec/rake/spectask'
+
+spec_files = Rake::FileList["spec/**/*_spec.rb"]
+
+desc "Run specs"
+Spec::Rake::SpecTask.new do |t|
+ t.spec_files = spec_files
+ t.spec_opts = ["-c"]
+end

0 comments on commit c0938b8

Please sign in to comment.