From 489e6fde19fc97afc64fb2f973a422f282c2806d Mon Sep 17 00:00:00 2001 From: Geoffrey Schorkopf Date: Mon, 13 Jul 2015 12:18:07 -0400 Subject: [PATCH] Prefer public_send to collaborating objects * This prevents inadvertent access level violations --- lib/jsonapi/link_builder.rb | 4 ++-- lib/jsonapi/operation.rb | 4 ++-- lib/jsonapi/resource.rb | 20 ++++++++++---------- lib/jsonapi/resource_serializer.rb | 12 ++++++------ 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/jsonapi/link_builder.rb b/lib/jsonapi/link_builder.rb index 1653e2a36..4cb9ffc18 100644 --- a/lib/jsonapi/link_builder.rb +++ b/lib/jsonapi/link_builder.rb @@ -58,7 +58,7 @@ def build_engine_name def engine_path_from_resource_class(klass) path_name = engine_resources_path_name_from_class(klass) - engine_name.routes.url_helpers.send(path_name) + engine_name.routes.url_helpers.public_send(path_name) end def engine_primary_resources_path @@ -71,7 +71,7 @@ def engine_primary_resources_url def engine_resource_path(source) resource_path_name = engine_resource_path_name_from_source(source) - engine_name.routes.url_helpers.send(resource_path_name, source.id) + engine_name.routes.url_helpers.public_send(resource_path_name, source.id) end def engine_resource_path_name_from_source(source) diff --git a/lib/jsonapi/operation.rb b/lib/jsonapi/operation.rb index b98842cd4..99fca8f94 100644 --- a/lib/jsonapi/operation.rb +++ b/lib/jsonapi/operation.rb @@ -126,7 +126,7 @@ def initialize(resource_klass, options = {}) def apply source_resource = @source_klass.find_by_key(@source_id, context: @context) - related_resource = source_resource.send(@association_type) + related_resource = source_resource.public_send(@association_type) return JSONAPI::ResourceOperationResult.new(:ok, related_resource) @@ -152,7 +152,7 @@ def initialize(resource_klass, options = {}) def apply source_resource = @source_klass.find_by_key(@source_id, context: @context) - related_resource = source_resource.send(@association_type, + related_resource = source_resource.public_send(@association_type, filters: @filters, sort_criteria: @sort_criteria, paginator: @paginator) diff --git a/lib/jsonapi/resource.rb b/lib/jsonapi/resource.rb index eda7871b5..84d6827c7 100644 --- a/lib/jsonapi/resource.rb +++ b/lib/jsonapi/resource.rb @@ -28,7 +28,7 @@ def initialize(model, context = nil) end def id - model.send(self.class._primary_key) + model.public_send(self.class._primary_key) end def is_new? @@ -112,7 +112,7 @@ def fetchable_fields # Override this on a resource to customize how the associated records # are fetched for a model. Particularly helpful for authorization. def records_for(association_name, _options = {}) - model.send association_name + model.public_send association_name end private @@ -166,9 +166,9 @@ def _create_has_many_links(association_type, association_key_values) related_resource = association.resource_klass.find_by_key(association_key_value, context: @context) # TODO: Add option to skip relations that already exist instead of returning an error? - relation = @model.send(association.type).where(association.primary_key => association_key_value).first + relation = @model.public_send(association.type).where(association.primary_key => association_key_value).first if relation.nil? - @model.send(association.type) << related_resource.model + @model.public_send(association.type) << related_resource.model else fail JSONAPI::Exceptions::HasManyRelationExists.new(association_key_value) end @@ -198,8 +198,8 @@ def _replace_has_one_link(association_type, association_key_value) def _replace_polymorphic_has_one_link(association_type, key_value, key_type) association = self.class._associations[association_type.to_sym] - model.send("#{association.foreign_key}=", key_value) - model.send("#{association.polymorphic_type}=", key_type.to_s.classify) + model.public_send("#{association.foreign_key}=", key_value) + model.public_send("#{association.polymorphic_type}=", key_type.to_s.classify) @save_needed = true @@ -209,7 +209,7 @@ def _replace_polymorphic_has_one_link(association_type, key_value, key_type) def _remove_has_many_link(association_type, key) association = self.class._associations[association_type] - @model.send(association.type).delete(key) + @model.public_send(association.type).delete(key) :completed end @@ -314,11 +314,11 @@ def attribute(attr, options = {}) @_attributes ||= {} @_attributes[attr] = options define_method attr do - @model.send(attr) + @model.public_send(attr) end unless method_defined?(attr) define_method "#{attr}=" do |value| - @model.send "#{attr}=", value + @model.public_send "#{attr}=", value end unless method_defined?("#{attr}=") end @@ -696,7 +696,7 @@ def _associate(klass, *attrs) define_method foreign_key do records = public_send(associated_records_method_name) return records.collect do |record| - record.send(association.resource_klass._primary_key) + record.public_send(association.resource_klass._primary_key) end end unless method_defined?(foreign_key) define_method attr do |options = {}| diff --git a/lib/jsonapi/resource_serializer.rb b/lib/jsonapi/resource_serializer.rb index 5517d10bf..fea7b947f 100644 --- a/lib/jsonapi/resource_serializer.rb +++ b/lib/jsonapi/resource_serializer.rb @@ -132,7 +132,7 @@ def attribute_hash(source) fields.each_with_object({}) do |name, hash| format = source.class._attribute_options(name)[:format] unless name == :id - hash[format_key(name)] = format_value(source.send(name), format) + hash[format_key(name)] = format_value(source.public_send(name), format) end end end @@ -167,7 +167,7 @@ def relationship_data(source, include_directives) # through the associations. if include_linkage || include_linked_children if association.is_a?(JSONAPI::Association::HasOne) - resource = source.send(name) + resource = source.public_send(name) if resource id = resource.id type = association.type_for_source(source) @@ -179,7 +179,7 @@ def relationship_data(source, include_directives) end end elsif association.is_a?(JSONAPI::Association::HasMany) - resources = source.send(name) + resources = source.public_send(name) resources.each do |resource| id = resource.id associations_only = already_serialized?(type, id) @@ -267,18 +267,18 @@ def link_object(source, association, include_linkage = false) # Extracts the foreign key value for a has_one association. def foreign_key_value(source, association) foreign_key = association.foreign_key - value = source.send(foreign_key) + value = source.public_send(foreign_key) IdValueFormatter.format(value) end def foreign_key_types_and_values(source, association) if association.is_a?(JSONAPI::Association::HasMany) if association.polymorphic? - source.model.send(association.name).pluck(:type, :id).map do |type, id| + source.model.public_send(association.name).pluck(:type, :id).map do |type, id| [type.pluralize, IdValueFormatter.format(id)] end else - source.send(association.foreign_key).map do |value| + source.public_send(association.foreign_key).map do |value| [association.type, IdValueFormatter.format(value)] end end