module Haml
  module Safemode
    class ScopeObject < Blankslate
      def initialize(view)
        @view = view        
        @pass_to_view = [:render] + helper_methods
      end
      
      def helper_methods
        allowed_helpers = %w( UrlHelper TextHelper TagHelper ScriptaculousHelper SanitizeHelper
                              RecordTagHelper RecordIdentificationHelper NumberHelper JavaScriptHelper
                              PrototypeHelper FormTagHelper FormOptionsHelper FormHelper DateHelper
                              AtomFeedHelper AssetTagHelper ActiveRecordHelper)
        
        modules = @view.class.included_modules
        modules.select  {|m| allowed_helpers.include? m.name.gsub('ActionView::Helpers::', '') }.
                collect {|m| m.instance_methods(false) }.flatten.map(&:to_sym)
      end
      
      def bind(assigns, locals, &block)
        assigns ||= {}
        assigns.each  {|key, obj| eval "@#{key} = assigns['#{key}']" }
        @locals = locals # call to locals will be jailed, so use method_missing
        binding
      end
    
      def to_jail
        self
      end
      
      def method_missing(method, *args, &block)
        if @locals.has_key?(method)
          @locals[method] 
        elsif @pass_to_view.include?(method)
          @view.send method, *args, &block
        else
          raise Haml::Safemode::SecurityError.new(method, "#<Haml::EvalScope>")
        end
      end
    end 
  end
end

# apply_form_for_options!, array_or_string_for_javascript, atom_feed,
# auto_discovery_link_tag, auto_link, build_callbacks, build_observer,
# button_to, button_to_function, cdata_section, check_box, check_box_tag,
# collection_select, concat, concat_with_haml, concat_without_haml, content_tag,
# content_tag_for, country_options_for_select, country_select, current_page?,
# cycle, date_select, datetime_select, define_javascript_functions,
# distance_of_time_in_words, distance_of_time_in_words_to_now, div_for,
# dom_class, dom_id, draggable_element, draggable_element_js,
# drop_receiving_element, drop_receiving_element_js, error_message_on,
# error_messages_for, escape_javascript, escape_once, evaluate_remote_response,
# excerpt, field_set_tag, fields_for, file_field, file_field_tag, form,
# form_for, form_for_with_haml, form_for_without_haml, form_remote_for,
# form_remote_tag, form_tag, form_tag_with_haml, form_tag_without_haml,
# hidden_field, hidden_field_tag, highlight, image_path, image_submit_tag,
# image_tag, input, javascript_cdata_section, javascript_include_tag,
# javascript_path, javascript_tag, label, link_to, link_to_function, link_to_if,
# link_to_remote, link_to_unless, link_to_unless_current, mail_to,
# method_option_to_s, number_to_currency, number_to_human_size,
# number_to_percentage, number_to_phone, number_with_delimiter,
# number_with_precision, observe_field, observe_form,
# option_groups_from_collection_for_select, options_for_ajax,
# options_for_javascript, options_for_select,
# options_from_collection_for_select, partial_path, password_field,
# password_field_tag, path_to_image, path_to_javascript, path_to_stylesheet,
# periodically_call_remote, pluralize, radio_button, radio_button_tag,
# remote_form_for, remote_function, reset_cycle, sanitize, sanitize_css, select,
# select_date, select_datetime, select_day, select_hour, select_minute,
# select_month, select_second, select_tag, select_time, select_year,
# simple_format, sortable_element, sortable_element_js, strip_links, strip_tags,
# stylesheet_link_tag, stylesheet_path, submit_tag, submit_to_remote, tag,
# text_area, text_area_tag, text_field, text_field_tag, time_ago_in_words,
# time_select, time_zone_options_for_select, time_zone_select, truncate,
# update_page, update_page_tag, url_for, visual_effect, word_wrap