Project

expose

0.0
No commit activity in last 3 years
No release in over 3 years
exposeattack/exposeHomepageDocumentationSource Code
Simple dynamic configuration of mass-assignment security, specifically attr_protected and attr_accessible
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
8,851
Stars
1
Forks
0
Watchers
1
 Releases
Current version
0.1.1
Total releases
2
First release
2011-06-20
Latest release
2011-06-20
 Development
Primary Language
Ruby
Average date of last 50 commits
2011-11-03
Reverse Dependencies
0

 Dependencies

Development

rspec
~> 2.6
sqlite3-ruby
>= 0

Runtime

rails
~> 3.0
 Project Readme

This gem is no longer maintained.

Expose¶ ↑

Expose allows you to dynamically adjust the ‘attr_accessible’ or ‘attr_protected’ of a model. This is only for managing mass-assignment security, and not overall security.

Model¶ ↑ 

The following would let you mass_assign :sometimes_important when the :state
is 'new' or 'pending'.

class Account < ActiveRecord::Base
  include Expose::Model

  # name:string
  # sometimes_important:string
  # state:string ... example [:new, :pending, :closed]

  expose :sometimes_important,
    :if => Proc.new { |account| [:new,:pending].include?(account.state) }

  # same result as line above (just using)
  expose :sometimes_important, :state => [:new, :pending]

  # similar to line above
  expose :sometimes_important,
    :unless => Proc.new { |account| [:closed].include?(account.state) }

  # same as line above
  expose :sometimes_important, :not_state => :closed

  # using whitelist strategy
  attr_accessible :name

  # OR, using blacklist strategy
  # attr_protected :sometimes_important 

end

Notes¶ ↑

This gem has only been tested with Rails 3.1.rc3, but should work with Rails 3.X. It only uses the hook :mass_assignment_authorizer.

Todo¶ ↑

This gem is in the early stages of development, so use at your own risk.

Plans/Ideas:

- add 'protect' version, which does the opposite of 'expose'
- maybe disable attr_protected.  Using this gem shows an interest in
  mass-assignment security.  Why not ensure use of a whitelist only
  strategy.
- add controller version (so that session data can be used, ie: role of
  logged in user)
- add better error handling and option checking, maybe add some logging
- do not require ActiveRecord, but rather ActiveModel
- not require adding 'include Expose::Model'.  When I do, the class variable
  '_exposures' is shared by all subclasses of ActiveRecord::Base, and each
  declared model then sees the same '_exposures'.

Installation¶ ↑

Install the gem:

gem install expose

Or add Expose to your Gemfile and bundle it up:

gem 'expose'

Options¶ ↑

‘expose’ handles a series of options. Those are:

  • :if * - When true, the attribute will be added to whitelist.

  • :unless * - When false, the attribute will be added to whitelist.

  • :state * - When in this state, the attribute will be added to whitelist.

  • :not_state * - When not in this state, the attribute will be added to whitelist.

Maintainers¶ ↑

Contributors¶ ↑

  • you

Influence¶ ↑

Bugs and Feedback¶ ↑

If you discover any bugs or want to drop a line, feel free to create an issue on GitHub.

github.com/attack/expose/issues

MIT License. Copyright 2011 Mark G. github.com/attack