On Tue, Dec 2, 2008 at 3:12 AM, Alex Neth <[EMAIL PROTECTED]> wrote:
>
> Is there anything built in to the framework to validate action input,
> and perhaps even output?
>
> That is, before I start executing my actions, to make sure certain
> parameters are passed, others aren't, and that some are in a certain
> format. I don't always want that pushed down to the model (and there
> isn't always a model.)
>
> For instance:
>
> validates_param_present :say_hi, :name
> validates_param_format :say_hi, :name, :with => /[A-Za-z]+/
>
> def say_hi(name)
> "hi #{name}"
> end
>
> Perhaps it's better to j
>
> This could easily be implemented with before filters, etc. Or could
> be done within the action:
>
> def say_hi(name)
> validate_param_present :name
> validate_param_format :name, :with => /[A-Za-z]+/
> end
>
> Just wondering if it is already in the framework or there are plans
> for it.
>
> My particular need right now is to protect against spoofing in a
> reliable way. I am actually working with a model in this case, so it
> would need to be something more like:
>
> validates_param_not_present :register, [:user, :admin]
> (which would make sure {:user => { :admin => 1 }} wasn't passed)
>
> merb-param-protection
=================
This plugin exposes three new controller methods which allow us to
simply and flexibly filter the parameters available
within the controller.
Setup:
The request sets:
params => { :post => { :title => "ello", :body => "Want it", :status
=> "green", :author_id => 3, :rank => 4 } }
Example 1: params_accessable
MyController < Application
params_accessible :post => [:title, :body]
end
params.inspect # => { :post => { :title => "ello", :body => "Want it" } }
So we see that params_accessible removes everything except what is
explictly specified.
Example 2: params_protected
MyOtherController < Application
params_protected :post => [:status, :author_id]
end
params.inspect # => { :post => { :title => "ello", :body => "Want
it", :rank => 4 } }
We also see that params_protected removes ONLY those parameters
explicitly specified.
Sometimes you have certain post parameters that are best left
unlogged, we support that too. Your
actions continue to receive the variable correctly, but the requested
parameters are scrubbed
at log time.
MySuperDuperController < Application
log_params_filtered :password
end
params.inspect # => { :username => 'atmos', :password => '[FILTERED]' }
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"merb" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/merb?hl=en
-~----------~----~----~----~------~----~------~--~---
