GitXplorerGitXplorer
e

su_attr_accessibility

public
4 stars
0 forks
0 issues

Commits

List of commits on branch master.
Unverified
1f81f36414f219d72580ed6eb78a46cf58e1440b

added author

eeval committed 13 years ago
Unverified
2ad76c98033f4b7a3a34062dbeaa938c94437808

readme added

eeval committed 13 years ago
Unverified
d72e5b8bef6ae97d6287ebf21a3b4025d7d64d1c

first spec passes

eeval committed 13 years ago
Unverified
f20891b67e1fa4f7e944f665c6d77d155dbfaa52

specs working

eeval committed 13 years ago
Unverified
6cc3953764fd20f6a0f2264659e82757a5708167

require activesupport, dont assume AR

eeval committed 13 years ago
Unverified
8c58b9470f60579baf69f44ba83389d14a6bb482

copy gist

eeval committed 13 years ago

README

The README file for this repository.

SuAttrAccessibility

Usage

Using attr_accessible you can explicitly define what attributes of a model can be mass assigned. As of Rails 3.1 you can even specify these attributes per role.

So given the following model:

# app/models/user.rb

# Table name: users
#
#  id                     :integer(4)      not null, primary key
#  name                   :string(255)
#  is_admin               :boolean(1)
class User < ActiveRecord::Base
  attr_accessible :name, :as => :user_input
end

...we stay safe when POSTed (possibly malicious) data is involved in mass assignment:

> params = {:name => 'Gert', :is_admin => true}
> user = User.new(params, :as => :user_input)
WARNING: Can't mass-assign protected attributes: is_admin
=> #<User id: nil, name: "Gert", is_admin: nil>

While this is all good and fine for handling params in controllers, a whole lot of other parts of your application (e.g. tests, the console, any non-controller code) probably don't want to deal with these restrictions.

Though you could use :without_protection => true to bypass these restrictions, this gem let's you define a role that essentialy does the same:

class User < ActiveRecord::Base
  attr_accessible :name, :as => :user_input
  su_attr_accessible_as :admin
end

> params = {:name => 'Gert', :is_admin => true}
> user = User.new(params, :without_protection => true)
=> #<User id: nil, name: "Gert", is_admin: true>
> user = User.new(params, :as => :admin)
=> #<User id: nil, name: "Gert", is_admin: true>

But wait, there's more!

Do we really care about any role when we're not dealing with submitted data? Probably not. This is when this gem is even better: we can pass the default-role to su_attr_accessible_as and forget about any role except for the parts where we really care:

class User < ActiveRecord::Base
  attr_accessible :name, :as => :user_input
  su_attr_accessible_as :default
end

# on the console and in our tests:
> params = {:name => 'Gert', :is_admin => true}
> user = User.new(params)
=> #<User id: nil, name: "Gert", is_admin: true>

# in our controllers we keep using the user_input-role:
> user = User.new(params, :as => :user_input)
WARNING: Can't mass-assign protected attributes: is_admin
=> #<User id: nil, name: "Gert", is_admin: nil>

Installation

Add this line to your application's Gemfile:

gem 'su_attr_accessibility'

And then execute:

$ bundle

Or install it yourself as:

$ gem install su_attr_accessibility

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Author

Gert Goet (eval) :: gert@thinkcreate.nl :: @gertgoet