module Tennpipes::ParamsProtection::ClassMethods

Public Instance Methods

params(*allowed_params) click to toggle source

Implements filtering of url query params. Can prevent mass-assignment.

@example

post :update, :params => [:name, :email]
post :update, :params => [:name, :id => Integer]
post :update, :params => [:name => proc{ |v| v.reverse }]
post :update, :params => [:name, :parent => [:name, :position]]
post :update, :params => false
post :update, :params => true

@example

params :name, :email, :password => prox{ |v| v.reverse }
post :update

@example

App.controller :accounts, :params => [:name, :position] do
  post :create
  post :update, :with => [ :id ], :params => [:name, :position, :addition]
  get :show, :with => :id, :params => false
  get :search, :params => true
end
# File lib/tennpipes-base/application/params_protection.rb, line 45
def params(*allowed_params)
  allowed_params = prepare_allowed_params(allowed_params)
  condition do
    @original_params = params.deep_dup
    filter_params!(params, allowed_params)
  end
end

Private Instance Methods

prepare_allowed_params(allowed_params) click to toggle source
# File lib/tennpipes-base/application/params_protection.rb, line 55
def prepare_allowed_params(allowed_params)
  param_filter = {}
  allowed_params.each do |key,value|
    case
    when key.kind_of?(Hash) && !value
      param_filter.update(prepare_allowed_params(key))
    when value.kind_of?(Hash) || value.kind_of?(Array)
      param_filter[key.to_s] = prepare_allowed_params(value)
    else
      param_filter[key.to_s] = value == false ? false : (value || true)
    end
  end
  param_filter.freeze
end