By popular (cue laughter) demand, I have added whitelisting to the popular (cue hysterical laughter) param_protected plugin. It is done via the param_accessible method.
I have also added support to properly handle array params.
For more details (i.e. documentation), please see the README file.
3 comments:
Just in time for my current rails project. Thank you :)
Hi Christopher
I'm having a time getting this to work, even on a new test app:
rails test_app; cd test_app; ./script/generate controller home; ./script/plugin install git://github.com/cjbottaro/param_protected.git
then in app/controllers/home.rb
param_protected :name
def index
render :text => "Hello %s" % param[:name]
end
Hitting http://localhost:3000/home?name=mina shows this in the browser:
Hello mina
Logging indicates that "name" was not protected:
Processing HomeController#index (for 127.0.0.1 at 2008-07-16 13:27:04) [GET]
Session ID: BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo
SGFzaHsABjoKQHVzZWR7AA==--2b265f2ec8b10c2c878a44bd512a2012e8148e7e
Parameters: {"name"=>"mina", "action"=>"index", "controller"=>"home"}
Parameters protected: {}
Digging through the plugin source, I think the problem is in _pp_get_actions, specifically, calling public_instance_methods
At the time the method in my controller gets called, the "index" method has not yet been defined, so the above code doesn't assign anything to _pp_protected_map
I've tried this with older versions of rails instead of 2.1 and it's the same behavior.
Any ideas ?
Heh, yeah... the plugin just plain wasn't working in a real app, even though all the tests were passing.
I rewrote the entire plugin and tests, as well as tested in a real app. Should be good to go now.
Post a Comment