Remove the dependency for protected_attributes

Appraisals

@@ -26,12 +26,10 @@ if RUBY_VERSION >= '1.9'
   appraise 'activerecord_4_0' do
     gem 'activerecord', '~> 4.0.0'
     gem 'mysql', '~> 2.9.0' if ENV['DB'] == 'mysql'
-    gem 'protected_attributes', '~> 1.0.0'
   end
 
   appraise 'activerecord_4_1' do
     gem 'activerecord', '~> 4.1.0'
     gem 'mysql', '~> 2.9.0' if ENV['DB'] == 'mysql'
-    gem 'protected_attributes', '~> 1.0.0'
   end
 end

README.rdoc

@@ -172,6 +172,13 @@ you should show its details to the user registering the client: its
 <tt>client_secret</tt> is not stored in plain text so you can only read it when
 you initially create the client object.
 
+==== Note on protecting Client attributes
+
+It is important to make sure to protect the <tt>Client</tt> model attributes from mass-assigning. Either using
+<tt>protected attributes</tt> (Rails < 4) or <tt>strong parameters</tt> (Rails >= 4).
+
+Do not allow the attributes <tt>client_id</tt> and <tt>client_secret</tt> to be mass-assigned. Usually, you'll only allow
+the attributes <tt>name</tt> and <tt>redirect_uri</tt> to be mass-assigned.
 
 === OAuth request endpoint
 
@@ -401,4 +408,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
-

gemfiles/activerecord_4_0.gemfile

@@ -4,6 +4,5 @@ source "https://rubygems.org"
 
 gem "activerecord", "~> 4.0.0"
 gem "mysql", "~> 2.9.0"
-gem "protected_attributes", "~> 1.0.0"
 
-gemspec :path=>"../"
+gemspec :path=>"../"

gemfiles/activerecord_4_1.gemfile

@@ -4,6 +4,5 @@ source "https://rubygems.org"
 
 gem "activerecord", "~> 4.1.0"
 gem "mysql", "~> 2.9.0"
-gem "protected_attributes", "~> 1.0.0"
 
-gemspec :path=>"../"
+gemspec :path=>"../"

lib/songkick/oauth2/model/authorization.rb

@@ -17,8 +17,6 @@ class Authorization < ActiveRecord::Base
         validates_uniqueness_of :refresh_token_hash, :scope => :client_id, :allow_nil => true
         validates_uniqueness_of :access_token_hash,                        :allow_nil => true
 
-        attr_accessible nil
-
         class << self
           private :create, :new
         end
@@ -134,4 +132,3 @@ def scopes
     end
   end
 end
-

lib/songkick/oauth2/model/client.rb

@@ -15,8 +15,6 @@ class Client < ActiveRecord::Base
         validates_presence_of   :name, :redirect_uri
         validate :check_format_of_redirect_uri
 
-        attr_accessible :name, :redirect_uri
-
         before_create :generate_credentials
 
         def self.create_client_id
@@ -56,4 +54,3 @@ def generate_credentials
     end
   end
 end
-

spec/songkick/oauth2/model/client_spec.rb

@@ -32,16 +32,6 @@
     @client.should_not be_valid
   end
 
-  it "cannot mass-assign client_id" do
-    @client.update_attributes(:client_id => 'foo')
-    @client.client_id.should_not == 'foo'
-  end
-
-  it "cannot mass-assign client_secret" do
-    @client.update_attributes(:client_secret => 'foo')
-    @client.client_secret.should_not == 'foo'
-  end
-
   it "has client_id and client_secret filled in" do
     @client.client_id.should_not be_nil
     @client.client_secret.should_not be_nil
@@ -52,4 +42,3 @@
     Songkick::OAuth2::Model::Authorization.count.should be_zero
   end
 end
-

spec/spec_helper.rb

@@ -2,7 +2,6 @@
 require 'bundler/setup'
 
 require 'active_record'
-require 'protected_attributes' if defined?(ActiveRecord::VERSION) && ActiveRecord::VERSION::MAJOR > 3
 
 require 'songkick/oauth2/provider'
 
@@ -79,4 +78,3 @@ def create_authorization(params)
     end
   end
 end
-