-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathREADME
More file actions
51 lines (30 loc) · 1.19 KB
/
README
File metadata and controls
51 lines (30 loc) · 1.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
A simple plugin to change ActionController default open policy to a more secure "closed-by-defaul" policy.
With this plugin public methods on controllers are not available to requests by default; instead, they need to be exposed explicitly (with stating allowed methods). This prevents accidental allowing access to helper methods or filters as well as solves the problem of forgetting to add verify invokations to prevent using GET to access actions that manipulate data.
The name "expose" (and parts of the concept) is taken from CherryPy (www.cherrypy.org).
Usage:
class MyController < ApplicationController
expose :get, :index
def index
...
end
expose :get, :show
def show
...
end
expose :post, :create
def create
...
end
expose [:get, :post], :create
def action_for_both_post_and_get
end
# you can also expose many methods at once:
expose [:put, :post], :update, :change_owner
def update
end
def change_owner
end
end
Methods exposed in base controller are also exposed in derived controllers.
Author: Paweł Stradomski <pstradomski@codesprinters.com>
(C) 2008 Code Sprinters <http://www.codesprinters.com>. Released under MIT licence.