Module: Searchgasm::Search::Protection

Included in:

Base

Defined in:

lib/searchgasm/search/protection.rb

Overview

Searchgasm Protection

This adds protection during mass asignments only. This allows you to pass a params object when doing mass assignments and not have to worry about Billy 13 year old adding in SQL injections. There is a section in the readme that covers protection but to reiterate:

Protected

User.new_search(params[:search])
User.new_conditions(params[:search])

search.options = params[:search]
conditions.conditions = params[:conditions]

NOT Protected

User.new_search!(params[:search])
User.new_conditions!(params[:search])
User.find(:all, params[:search])
User.first(params[:search])
User.all(params[:search])

Constant Summary

SAFE_OPTIONS =

Options that are allowed when protecting against SQL injections (still checked though)

Base::SPECIAL_FIND_OPTIONS + [:conditions, :limit, :offset]

VULNERABLE_OPTIONS =

Options that are not allowed, at all, when protecting against SQL injections

Base::VALID_FIND_OPTIONS - SAFE_OPTIONS

Class Method Summary

• .included(klass) ⇒ Object

Instance Method Summary

• #limit_with_protection ⇒ Object

  :nodoc:.

• #limit_with_protection=(value) ⇒ Object

  :nodoc:.

• #options_with_protection=(values) ⇒ Object

  :nodoc:.

• #protect=(value) ⇒ Object

  Accepts a boolean.

• #protect? ⇒ Boolean (also: #protected?)

  Convenience methof for determing if the search is protected or not.

Class Method Details

.included(klass) ⇒ Object

# File 'lib/searchgasm/search/protection.rb', line 30

def self.included(klass)
  klass.class_eval do
    attr_reader :protect
    alias_method_chain :limit, :protection
    alias_method_chain :limit=, :protection
    alias_method_chain :options=, :protection
  end
end

Instance Method Details

#limit_with_protection ⇒ Object

:nodoc:

# File 'lib/searchgasm/search/protection.rb', line 39

def limit_with_protection # :nodoc:
  return Config.per_page if protected? && !@set_limit
  limit_without_protection
end

#limit_with_protection=(value) ⇒ Object

:nodoc:

# File 'lib/searchgasm/search/protection.rb', line 44

def limit_with_protection=(value) # :nodoc:
  @set_limit = true
  self.limit_without_protection = value
end

#options_with_protection=(values) ⇒ Object

:nodoc:

# File 'lib/searchgasm/search/protection.rb', line 49

def options_with_protection=(values) # :nodoc:
  return unless values.is_a?(Hash)
  self.protect = values.delete(:protect) if values.has_key?(:protect) # make sure we do this first
  frisk!(values) if protect?
  self.options_without_protection = values
end

#protect=(value) ⇒ Object

Accepts a boolean. Will protect mass assignemnts if set to true, and unprotect mass assignments if set to false

# File 'lib/searchgasm/search/protection.rb', line 57

def protect=(value)
  conditions.protect = value
  @protect = value
end

#protect? ⇒ Boolean Also known as: protected?

Convenience methof for determing if the search is protected or not.

Returns:

• (Boolean)

# File 'lib/searchgasm/search/protection.rb', line 63

def protect?
  protect == true
end