AttributeExt
AttributeExt provides additional access control for rails model attributes. It contains two modules one to protect attributes from mass assignment and one to hide attributes when serializing models.
Install
Just add the following to your Gemfile
gem 'attribute_ext'
and run bundle
command.
You can also install AttributeExt as a rails plugin by cloning the repository to
vendor/plugins
.
AttributeExt::SafeAttributes
Protects attributes from mass assignment using rails mass assignment authorizer. Also support Proc blocks.
Examples:
Always allow mass assignment for attribute.
class User < ActiveRecord::Base
safe_attributes :attribute
end
Attributes 'login', 'admin' and 'status' can only be mass assigned if current user is an admin.
class User < ActiveRecord::Base
safe_attributes :login, :admin, :status, :if => Proc.new { User.current.admin? }
end
Message text can not be mass assigned when post is locked.
class Message < ActiveRecord::Base
safe_attributes :text, :unless => Proc.new { |msg| msg.locked? }
end
With Rails 3 a role can be given when creating or updating an model. This role will also be available in SafeAttributes.
class User < ActiveRecord::Base
safe_attributes :login, :as => :admin
end
or
class User < ActiveRecord::Base
safe_attributes :login, :if => Proc.new { |user,role| role == :admin }
end
Default role and role mapper:
SafeAttributes provides helper for handling roles including a method to set a new default role as well as a method to map roles to other values. Changes to role will only affect SafeAttributes and will not be given to Rails 3.1 mass assignment authorizer.
Set default role that will be used if given role is nil or :default.
AttributeExt::SafeAttributes.default_role = :new_default
Role values can be restricted to specific values using the role mapper.
AttributeExt::SafeAttributes.role_mapper = Proc.new do |role|
[:guest, :user, :admin].include?(role) ? role : :guest
end
or
AttributeExt::SafeAttributes.role_mapper do |role|
[:guest, :user, :admin].include?(role) ? role : :guest
end
The role mapper is especially usefull if you want the current user model be the default role.
AttributeExt::SafeAttributes.role_mapper do |role|
role.is_a?(User) ? role : User.current
end
You can perform checks like this now:
class User < ActiveRecord::Base
safe_attribute :email, :if => Proc.new { |user,role| user == role or role.admin? }
end
Now the user can edit there own emails or everyons email if it is an admin.
AttributeExt::HiddenAttributes
Hides attributes when converting model to XML or JSON. Attributes can be dynamically hidden using if or unless Procs.
Examples:
Only shows API access key when user has API access.
class User < ActiveRecord::Base
hide_attributes :api_access_key, :unless => Proc.new { |user| user.api_access? }
end
Always hide password hash and password salt. Hide email if user do not want to show his email.
class User < ActiveRecord::Base
hide_attributes :password_hash, :password_salt
hide_attributes :email, :if => Proc.new { |user| user.hide_email? }
end
Additional options are available in if and unless blocks:
Only hide email when serialzing to json.
class User < ActiveRecord::Base
hide_attributes :email, :if => Proc.new { |user, format| format == :json }
end
Simpler format conditions can be defined using :only and :except parameters:
class User < ActiveRecord::Base
hide_attributes :email, :only => :json
hide_attributes :special_attr, :except => [:xml, :json]
end
Both parameters accept single attributes and arrays. When :only or :except is given the :on_hash option will be ignored.
Hide user_id if associated user model will be included. This rule will also apply when calling serializable_hash.
class Event < ActiveRecord::Base
belongs_to :user
hide_attributes :user_id, :on_hash => true, :if => Proc.new { |event, format, opts| opts[:include].include?(:user) }
end
By default rules do not apply when serializing to hash.
Changelog
Sep 24, 2011
SafeAttributes provides methods to change default role and to map roles to specific values before processing rules. Also added full documentation to all public methods and methods that are usefull for testing own rules.
Sep 22, 2011
Nearly all features are successfully tested using a fake environment now. SafeAttributes provides a new quick role validation using the :as parameters and HiddenAttributes can apply rules only to specific formats via :only and :except parameters.
Sep 1, 2011
HiddenAttributes works on included model when serializing to json by hooking
into serializable_hash now. Therefore it is possible to hide attributes when
serializing to hash via serializable_hash method too.
But by default rules will not be checked on serializable_hash, you have to
add :on_hash => true
to hide_attributes to enabled it for this rule.
Update: SafeAttributes works now with Rails 3.1 mass_assignment_authorizer that provides a role and pass this role to if and unless blocks as second parameter. Not tested but should also work with old mass_assignment_authorizer.
License
Copyright (C) 2011 Jan Graichen
AttributeExt is licensed under the Apache License, Version 2.0. See LICENSE for more information.