heartcombo--devise/lib/devise/parameter_sanitizer.rb

module Devise
  class BaseSanitizer
    attr_reader :params, :resource_name, :resource_class

    def initialize(resource_class, resource_name, params)
      @resource_class = resource_class
      @resource_name  = resource_name
      @params         = params
      @blocks         = Hash.new
    end

    def for(kind, &block)
      if block_given?
        @blocks[kind] = block
      else
        block = @blocks[kind]
        block ? block.call(default_params) : fallback_for(kind)
      end
    end

    private

    def fallback_for(kind)
      default_params
    end

    def default_params
      params.fetch(resource_name, {})
    end
  end

  class ParameterSanitizer < BaseSanitizer

    class PermittedParameters

      def initialize(resource_class)
        @resource_class = resource_class
        @for = { :sign_in => sign_in, :sign_up => sign_up, :account_update => account_update }
      end

      def sign_in
        auth_keys + [:password, :remember_me]
      end

      def sign_up
        auth_keys + [:password, :password_confirmation]
      end

      def account_update
        auth_keys + [:password, :password_confirmation, :current_password]
      end

      def auth_keys
        @resource_class.authentication_keys.respond_to?(:keys) ? @resource_class.authentication_keys.keys : @resource_class.authentication_keys
      end

      def for(kind)
        @for[kind]
      end

      def add(*params)
        @for.each { |action, permitted| permitted.push *params }
      end

      def remove(*params)
        @for.each do |action, permitted| 
          permitted.delete_if { |param| params.include? param }
        end
      end

    end

    def permitted_parameters
      @permitted_parameters ||= PermittedParameters.new(@resource_class)
    end

    private

    def fallback_for(kind)
      if respond_to?(kind, true)
        send(kind)
      elsif (permitted = permitted_parameters.for(kind))
        default_params.permit permitted
      else
        raise NotImplementedError, "Devise Parameter Sanitizer doesn't know how to sanitize parameters for #{kind}"
      end
    end

  end
end
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00			`module Devise`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`class BaseSanitizer`
Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`attr_reader :params, :resource_name, :resource_class`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00
Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`def initialize(resource_class, resource_name, params)`
			`@resource_class = resource_class`
			`@resource_name = resource_name`
			`@params = params`
			`@blocks = Hash.new`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`def for(kind, &block)`
			`if block_given?`
			`@blocks[kind] = block`
			`else`
			`block = @blocks[kind]`
			`block ? block.call(default_params) : fallback_for(kind)`
			`end`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`private`

			`def fallback_for(kind)`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`default_params`
			`end`
Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00
			`def default_params`
			`params.fetch(resource_name, {})`
			`end`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`

			`class ParameterSanitizer < BaseSanitizer`
Extend params sanitizer, to make it easier to add/remove permitted params - Move the default permitted parameters into ParameterSanitizer::PermittedParameters - Add devise_permitted_parameters helper - devise_permitted_parameters.add to add permitted parameters - devise_permitted_parameters.remove to remove Devise's defaults - devise_permitted_parameters.for to access the parameters for a given action - Update 'Strong Parameters' section of README Signed-off-by: José Valim <jose.valim@plataformatec.com.br> 2013-08-11 14:47:18 -04:00
			`class PermittedParameters`

			`def initialize(resource_class)`
			`@resource_class = resource_class`
			`@for = { :sign_in => sign_in, :sign_up => sign_up, :account_update => account_update }`
			`end`

			`def sign_in`
			`auth_keys + [:password, :remember_me]`
			`end`

			`def sign_up`
			`auth_keys + [:password, :password_confirmation]`
			`end`

			`def account_update`
			`auth_keys + [:password, :password_confirmation, :current_password]`
			`end`

			`def auth_keys`
			`@resource_class.authentication_keys.respond_to?(:keys) ? @resource_class.authentication_keys.keys : @resource_class.authentication_keys`
			`end`

			`def for(kind)`
			`@for[kind]`
			`end`

			`def add(*params)`
			`@for.each { \|action, permitted\| permitted.push *params }`
			`end`

			`def remove(*params)`
			`@for.each do \|action, permitted\|`
			`permitted.delete_if { \|param\| params.include? param }`
			`end`
			`end`

			`end`

			`def permitted_parameters`
			`@permitted_parameters \|\|= PermittedParameters.new(@resource_class)`
			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`private`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00
Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`def fallback_for(kind)`
			`if respond_to?(kind, true)`
			`send(kind)`
Extend params sanitizer, to make it easier to add/remove permitted params - Move the default permitted parameters into ParameterSanitizer::PermittedParameters - Add devise_permitted_parameters helper - devise_permitted_parameters.add to add permitted parameters - devise_permitted_parameters.remove to remove Devise's defaults - devise_permitted_parameters.for to access the parameters for a given action - Update 'Strong Parameters' section of README Signed-off-by: José Valim <jose.valim@plataformatec.com.br> 2013-08-11 14:47:18 -04:00			`elsif (permitted = permitted_parameters.for(kind))`
			`default_params.permit permitted`
Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`else`
			`raise NotImplementedError, "Devise Parameter Sanitizer doesn't know how to sanitize parameters for #{kind}"`
			`end`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00			`end`

			`end`
			`end`