Expose
Expose allows you to dynamically adjust the ‘attr_accessible’ or ‘attr_protected’ of a model. This is only for managing mass-assignment security, and not overall security.
Model
The following would let you mass_assign :sometimes_important when the :state
is 'new' or 'pending'.
class Account < ActiveRecord::Base
include Expose::Model
# name:string
# sometimes_important:string
# state:string ... example [:new, :pending, :closed]
expose :sometimes_important,
:if => Proc.new { |account| [:new,:pending].include?(account.state) }
# same result as line above (just using)
expose :sometimes_important, :state => [:new, :pending]
# similar to line above
expose :sometimes_important,
:unless => Proc.new { |account| [:closed].include?(account.state) }
# same as line above
expose :sometimes_important, :not_state => :closed
# using whitelist strategy
attr_accessible :name
# OR, using blacklist strategy
# attr_protected :sometimes_important
end
Notes
This gem has only been tested with Rails 3.1.rc3, but should work with Rails 3.X. It only uses the hook :mass_assignment_authorizer.
Todo
This gem is in the early stages of development, so use at your own risk.
Plans/Ideas:
- add 'protect' version, which does the opposite of 'expose'
- maybe disable attr_protected. Using this gem shows an interest in
mass-assignment security. Why not ensure use of a whitelist only
strategy.
- add controller version (so that session data can be used, ie: role of
logged in user)
- add better error handling and option checking, maybe add some logging
- do not require ActiveRecord, but rather ActiveModel
- not require adding 'include Expose::Model'. When I do, the class variable
'_exposures' is shared by all subclasses of ActiveRecord::Base, and each
declared model then sees the same '_exposures'.
Installation
Install the gem:
gem install expose
Or add Expose to your Gemfile and bundle it up:
gem 'expose'
Options
‘expose’ handles a series of options. Those are:
-
:if * - When true, the attribute will be added to whitelist.
-
:unless * - When false, the attribute will be added to whitelist.
-
:state * - When in this state, the attribute will be added to whitelist.
-
:not_state * - When not in this state, the attribute will be added to whitelist.
Maintainers
-
Mark G (github.com/attack)
Contributors
-
you
Influence
-
trusted-params (github.com/ryanb/trusted-params) - An ActiveController only version, not compatible with Rails 3.X.
Bugs and Feedback
If you discover any bugs or want to drop a line, feel free to create an issue on GitHub.
github.com/attack/expose/issues
MIT License. Copyright 2011 Mark G. github.com/attack