Skip to content

codesprinters/expose

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
lib
lib
 
 
test
test
 
 
MIT-LICENSE
MIT-LICENSE
 
 
README
README
 
 
init.rb
init.rb
 
 

Repository files navigation

A simple plugin to change ActionController default open policy to a more secure "closed-by-defaul" policy.

With this plugin public methods on controllers are not available to requests by default; instead, they need to be exposed explicitly (with stating allowed methods). This prevents accidental allowing access to helper methods or filters as well as solves the problem of forgetting to add verify invokations to prevent using GET to access actions that manipulate data.

The name "expose" (and parts of the concept) is taken from CherryPy (www.cherrypy.org).

Usage:

class MyController < ApplicationController


  expose :get, :index
  def index
    ...
  end

  expose :get, :show

  def show
    ...
  end
  
  expose :post, :create
  
  def create
    ...
  end

  expose [:get, :post], :create
  
  def action_for_both_post_and_get
  end

  # you can also expose many methods at once:
  expose [:put, :post], :update, :change_owner
  
  def update
  end
  
  def change_owner
  end

end


Methods exposed in base controller are also exposed in derived controllers.


Author: Paweł Stradomski <[email protected]>

(C) 2008 Code Sprinters <http://www.codesprinters.com>. Released under MIT licence.

About

Allows explicit exposing of Rails controller methods to specific set of HTTP verbs

www.codesprinters.com

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages