Module: Searchgasm::Search::Protection

Included in:: Base

Defined in:: lib/searchgasm/search/protection.rb

Overview

Searchgasm Protection

This adds protection during mass asignments only. This allows you to pass a params object when doing mass assignments and not have to worry about Billy 13 year old adding in SQL injections. There is a section in the readme that covers protection but to reiterate:

Protected

User.new_search(params[:search])
User.new_conditions(params[:search])

search.options = params[:search]
conditions.conditions = params[:conditions]

NOT Protected

User.new_search!(params[:search])
User.new_conditions!(params[:search])
User.find(:all, params[:search])
User.first(params[:search])
User.all(params[:search])

Constant Summary collapse

SAFE_OPTIONS = Options that are allowed when protecting against SQL injections (still checked though)

Base::SPECIAL_FIND_OPTIONS + [:conditions, :limit, :offset] - [:priority_order]

VULNERABLE_FIND_OPTIONS =

Base::AR_FIND_OPTIONS - SAFE_OPTIONS + [:priority_order]

VULNERABLE_CALCULATIONS_OPTIONS =

Base::AR_CALCULATIONS_OPTIONS - SAFE_OPTIONS + [:priority_order]

VULNERABLE_OPTIONS = Options that are not allowed, at all, when protecting against SQL injections

Base::OPTIONS - SAFE_OPTIONS

Class Method Summary collapse

.included(klass) ⇒ Object

Instance Method Summary collapse

#options_with_protection=(values) ⇒ Object

:nodoc:.
#protect=(value) ⇒ Object

Accepts a boolean.
#protect? ⇒ Boolean (also: #protected?)

Convenience methof for determing if the search is protected or not.

Class Method Details

.included(klass) ⇒ `Object`

# File 'lib/searchgasm/search/protection.rb', line 34

def self.included(klass)
  klass.class_eval do
    attr_reader :protect
    alias_method_chain :options=, :protection
  end
end

Instance Method Details

#options_with_protection=(values) ⇒ `Object`

:nodoc:

# File 'lib/searchgasm/search/protection.rb', line 41

def options_with_protection=(values) # :nodoc:
  return unless values.is_a?(Hash)
  self.protect = values.delete(:protect) if values.has_key?(:protect) # make sure we do this first
  frisk!(values) if protect?
  self.options_without_protection = values
end

#protect=(value) ⇒ `Object`

Accepts a boolean. Will protect mass assignemnts if set to true, and unprotect mass assignments if set to false

# File 'lib/searchgasm/search/protection.rb', line 49

def protect=(value)
  conditions.protect = value
  @protect = value
end

#protect? ⇒ `Boolean` Also known as: protected?

Convenience methof for determing if the search is protected or not.

Returns:

(Boolean)



55
56
57

# File 'lib/searchgasm/search/protection.rb', line 55

def protect?
  protect == true
end