GitXplorerGitXplorer
e

su_attr_accessibility

public
4 stars
0 forks
0 issues

Commits

List of commits on branch master.
Unverified
9ed9bf32e7b51169212e3c9c8137e67417c015b7

Update README.md

eeval committed 13 years ago
Unverified
53a6cfa09b56e542c36faeebf1635c2a4c45f23b

module is default included into ActiveRecord

eeval committed 13 years ago
Unverified
3e68ab38d6c6a88328da61632d2845f9699afa7b

useful spec

eeval committed 13 years ago
Unverified
db2ebe3af2833714cbc5ba8ab9e044fd6971e8ea

Update README.md

eeval committed 13 years ago
Unverified
171b75c17654a15215291fe9c3cd550e2ebf0b7b

v0.5.0

eeval committed 13 years ago
Unverified
135367da136863af135bcd4d09ccee38d023138a

rename sudo_attr_accessibility => su_attr_accessibility

eeval committed 13 years ago

README

The README file for this repository.

SuAttrAccessibility

Usage

Using attr_accessible you can explicitly define what attributes of a model can be mass assigned. As of Rails 3.1 you can even specify these attributes per role.

So given the following model:

# app/models/user.rb

# Table name: users
#
#  id                     :integer(4)      not null, primary key
#  name                   :string(255)
#  is_admin               :boolean(1)
class User < ActiveRecord::Base
  attr_accessible :name, :as => :user_input
end

...we stay safe when POSTed (possibly malicious) data is involved in mass assignment:

> params = {:name => 'Gert', :is_admin => true}
> user = User.new(params, :as => :user_input)
WARNING: Can't mass-assign protected attributes: is_admin
=> #<User id: nil, name: "Gert", is_admin: nil>

While this is all good and fine for handling params in controllers, a whole lot of other parts of your application (e.g. tests, the console, any non-controller code) probably don't want to deal with these restrictions.

Though you could use :without_protection => true to bypass these restrictions, this gem let's you define a role that essentialy does the same:

class User < ActiveRecord::Base
  attr_accessible :name, :as => :user_input
  su_attr_accessible_as :admin
end

> params = {:name => 'Gert', :is_admin => true}
> user = User.new(params, :without_protection => true)
=> #<User id: nil, name: "Gert", is_admin: true>
> user = User.new(params, :as => :admin)
=> #<User id: nil, name: "Gert", is_admin: true>

But wait, there's more!

Do we really care about any role when we're not dealing with submitted data? Probably not. This is when this gem is even better: we can pass the default-role to su_attr_accessible_as and forget about any role except for the parts where we really care:

class User < ActiveRecord::Base
  attr_accessible :name, :as => :user_input
  su_attr_accessible_as :default
end

# on the console and in our tests:
> params = {:name => 'Gert', :is_admin => true}
> user = User.new(params)
=> #<User id: nil, name: "Gert", is_admin: true>

# in our controllers we keep using the user_input-role:
> user = User.new(params, :as => :user_input)
WARNING: Can't mass-assign protected attributes: is_admin
=> #<User id: nil, name: "Gert", is_admin: nil>

Installation

Add this line to your application's Gemfile:

gem 'su_attr_accessibility'

And then execute:

$ bundle

Or install it yourself as:

$ gem install su_attr_accessibility

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Author

Gert Goet (eval) :: gert@thinkcreate.nl :: @gertgoet