Changeset 1251

Show
Ignore:
Timestamp:
01/09/08 20:07:10 (9 months ago)
Author:
lancecarls..@gmail.com
Message:

Added docs and not finished disclaimer

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • plugins/merb_param_protection/README

    r1227 r1251  
    22================= 
    33 
    4 A plugin for the Merb framework that provides .... 
     4** Not fully functional ** 
     5 
     6This plugin exposes two new controller methods which allow us to simply and flexibly filter the parameters available within the controller. 
     7 
     8Setup: 
     9The request sets:  
     10 
     11        params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } } 
     12 
     13  Example 1: params_accessable 
     14  MyController < Application 
     15    params_accessible :post => [:title, :body] 
     16  end 
     17 
     18        params.inspect # => { :post => { :title => "ello", :body => "Want it" } } 
     19 
     20So we see that params_accessible removes everything except what is explictly specified. 
     21 
     22        Example 2: params_protected 
     23        MyOtherController < Application 
     24        params_protected :post => [:status, :author_id] 
     25        end 
     26 
     27        params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } } 
     28 
     29We also see that params_protected removes ONLY those parameters explicitly specified. 

  • plugins/merb_param_protection/lib/merb_param_protection.rb

    r1227 r1251  
    1 # make sure we're running inside Merb 
     1# This plugin exposes two new controller methods which allow us to simply and flexibly filter the parameters available within the controller. 
     2 
     3# Setup: 
     4# The request sets:  
     5# params => { :post => { :title => "ello", :body => "Want it", :status => "green", :author_id => 3, :rank => 4 } } 
     6
     7# Example 1: params_accessable 
     8# MyController < Application 
     9#   params_accessible :post => [:title, :body] 
     10# end 
     11 
     12# params.inspect # => { :post => { :title => "ello", :body => "Want it" } } 
     13 
     14# So we see that params_accessible removes everything except what is explictly specified. 
     15 
     16# Example 2: params_protected 
     17# MyOtherController < Application 
     18#   params_protected :post => [:status, :author_id] 
     19# end 
     20 
     21# params.inspect # => { :post => { :title => "ello", :body => "Want it", :rank => 4 } } 
     22 
     23# We also see that params_protected removes ONLY those parameters explicitly specified. 
     24 
    225if defined?(Merb::Plugins) 
    326 
     
    7396          end 
    7497        end 
     98         
    7599        module InstanceMethods 
    76100          def initialize_params_filter 
    77             puts accessible_params_args.inspect 
     101            if accessible_params_args.is_a?(Hash) 
     102              puts accessible_params_args.inspect 
     103              accessible_params_args.keys.each do |obj| 
     104                puts obj.inspect 
     105                puts accessible_params_args[obj].inspect 
     106                self.request.restrict_params(obj, accessible_params_args[obj]) 
     107              end 
     108            end 
    78109          end 
    79110        end 

  • plugins/merb_param_protection/spec/merb_param_protection_spec.rb

    r1227 r1251  
    22 
    33describe "merb_param_protection" do 
    4   describe "Controller", "parameter filtering" do 
    5     before(:each) do 
    6       @request = fake_request 
    7     end 
    8      
     4  describe "Controller", "parameter filtering" do     
    95    describe "accessible parameters" do 
    106      class ParamsAccessibleController < Merb::Controller 
     
    1814        def index; end 
    1915      end 
    20        
    21       before(:each) do 
    22         @params_accessible_controller = ParamsAccessibleController.build(@request) 
    23         @params_accessible_controller.dispatch('index') 
    24       end 
     16 
    2517 
    2618      it "should store the accessible parameters for that controller" do 
     19        @params_accessible_controller = ParamsAccessibleController.build(fake_request) 
     20        @params_accessible_controller.stub!(:initialize_params_filter) 
     21        @params_accessible_controller.dispatch('index') 
    2722        @params_accessible_controller.accessible_params_args.should == { 
    2823          :address=> [:street, :zip], :post=> [:title, :body], :customer=> [:name, :phone, :email] 
    2924        } 
     25      end 
     26       
     27      it "should remove the parameters from the request that are not accessible" do 
     28        @request.post_body = "post[title]=hello&post[body]=something&post[status]=published" 
     29        @params_accessible_controller = ParamsAccessibleController.build(fake_request) 
     30        @params_accessible_controller.dispatch('index') 
    3031      end 
    3132    end 
     
    3334    describe "protected parameters" do 
    3435      before(:each) do 
    35         @params_protected_controller = ParamsProtectedController.build(@request) 
     36        @params_protected_controller = ParamsProtectedController.build(fake_request) 
    3637        @params_protected_controller.dispatch('index') 
    3738      end