Permalink
Browse files

Changed ActiveRecord attributes to respect access control.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#1084 state:committed]
  • Loading branch information...
1 parent a78ec93 commit 4d9a7ab5f5c28820e0b076f9ca44bdd20e19e6ea Adam Milligan committed with NZKoz Sep 21, 2008
@@ -232,6 +232,10 @@ def evaluate_attribute_method(attr_name, method_definition, method_name=attr_nam
def method_missing(method_id, *args, &block)
method_name = method_id.to_s
+ if self.class.private_method_defined?(method_name)
+ raise NoMethodError("Attempt to call private method", method_name, args)
+ end
+
# If we haven't generated any methods yet, generate them, then
# see if we've created the method we're looking for.
if !self.class.generated_methods?
@@ -334,10 +338,12 @@ def query_attribute(attr_name)
# <tt>person.respond_to?(:name=)</tt>, and <tt>person.respond_to?(:name?)</tt>
# which will all return +true+.
alias :respond_to_without_attributes? :respond_to?
- def respond_to?(method, include_priv = false)
+ def respond_to?(method, include_private_methods = false)
method_name = method.to_s
if super
return true
+ elsif self.private_methods.include?(method_name) && !include_private_methods
+ return false
elsif !self.class.generated_methods?
self.class.define_attribute_methods
if self.class.generated_methods.include?(method_name)
@@ -58,19 +58,19 @@ def test_should_unserialize_attributes_for_frozen_records
def test_kernel_methods_not_implemented_in_activerecord
%w(test name display y).each do |method|
- assert_equal false, ActiveRecord::Base.instance_method_already_implemented?(method), "##{method} is defined"
+ assert !ActiveRecord::Base.instance_method_already_implemented?(method), "##{method} is defined"
end
end
def test_primary_key_implemented
- assert_equal true, Class.new(ActiveRecord::Base).instance_method_already_implemented?('id')
+ assert Class.new(ActiveRecord::Base).instance_method_already_implemented?('id')
end
def test_defined_kernel_methods_implemented_in_model
%w(test name display y).each do |method|
klass = Class.new ActiveRecord::Base
klass.class_eval "def #{method}() 'defined #{method}' end"
- assert_equal true, klass.instance_method_already_implemented?(method), "##{method} is not defined"
+ assert klass.instance_method_already_implemented?(method), "##{method} is not defined"
end
end
@@ -80,7 +80,7 @@ def test_defined_kernel_methods_implemented_in_model_abstract_subclass
abstract.class_eval "def #{method}() 'defined #{method}' end"
abstract.abstract_class = true
klass = Class.new abstract
- assert_equal true, klass.instance_method_already_implemented?(method), "##{method} is not defined"
+ assert klass.instance_method_already_implemented?(method), "##{method} is not defined"
end
end
@@ -228,6 +228,40 @@ def test_setting_time_zone_conversion_for_attributes_should_write_value_on_class
assert_equal [:field_b], Minimalistic.skip_time_zone_conversion_for_attributes
end
+ def test_read_attributes_respect_access_control
+ privatize("title")
+
+ topic = @target.new(:title => "The pros and cons of programming naked.")
@mislav
mislav Sep 24, 2008 Member

Oh, there are cons?

+ assert !topic.respond_to?(:title)
+ assert_raise(NoMethodError) { topic.title }
+ topic.send(:title)
+ end
+
+ def test_write_attributes_respect_access_control
+ privatize("title=(value)")
+
+ topic = @target.new
+ assert !topic.respond_to?(:title=)
+ assert_raise(NoMethodError) { topic.title = "Pants"}
+ topic.send(:title=, "Very large pants")
+ end
+
+ def test_question_attributes_respect_access_control
+ privatize("title?")
+
+ topic = @target.new(:title => "Isaac Newton's pants")
+ assert !topic.respond_to?(:title?)
+ assert_raise(NoMethodError) { topic.title? }
+ assert topic.send(:title?)
+ end
+
+ def test_bulk_update_respects_access_control
+ privatize("title=(value)")
+
+ assert_raise(ActiveRecord::UnknownAttributeError) { topic = @target.new(:title => "Rants about pants") }
+ assert_raise(ActiveRecord::UnknownAttributeError) { @target.new.attributes = { :title => "Ants in pants" } }
+ end
+
private
def time_related_columns_on_topic
Topic.columns.select{|c| [:time, :date, :datetime, :timestamp].include?(c.type)}.map(&:name)
@@ -244,4 +278,13 @@ def in_time_zone(zone)
Time.zone = old_zone
ActiveRecord::Base.time_zone_aware_attributes = old_tz
end
+
+ def privatize(method_signature)
+ @target.class_eval <<-private_method
+ private
+ def #{method_signature}
+ "I'm private"
+ end
+ private_method
+ end
end

15 comments on commit 4d9a7ab

@NZKoz
Member
NZKoz commented on 4d9a7ab Sep 25, 2008

Indeed, it’s frowned upon at community code drives or in the enterprise.

Programming naked isn’t enterprise ready

@supaspoida

Cons: moment of panic as you rush to get clothed when the doorbell rings.

@nbibler
Contributor

Cons: the look you receive from your wife when she returns home from work at the end of the day, and there you are.

@smart
smart commented on 4d9a7ab Sep 25, 2008

Cons: forgetting that your skype was set to video chat….

@nickh
nickh commented on 4d9a7ab Sep 25, 2008

Cons: pair programming and standup meetings

@rotor
rotor commented on 4d9a7ab Sep 25, 2008

Cons: a vinyl chair

@amyhoy
amyhoy commented on 4d9a7ab Sep 25, 2008

cons: crack-sweat + chair.

I win.

(Being non-enterprise-ready is a pro, in my book.)

@masterkain
Contributor

Cons: having adeona running, your macbook gets stolen and police look at photos taken to identify the thief.

@ggoodale

Cons: Near nuclear temperatures emanating from the bottom of your MacBook Pro when Time Machine kicks in.

@mtodd
Contributor
mtodd commented on 4d9a7ab Sep 25, 2008

Pros: air flow!

Someone had to.

@randito

Pros: My plugin hit your mencache.
Cons: It was a miss.

@raggi
Contributor
raggi commented on 4d9a7ab Sep 25, 2008

Cons:

def test_something
send :something
end

describe ‘something’ do
before do
@obj.module_eval { public :something }
end
it ‘is a pain in the ass to test’ { true.should.eql(true) }
it ….
end

;-P

@augustl

Pros: Makes tabbing to porn sites when tests are running a lot more convenient

@henrik
Contributor
henrik commented on 4d9a7ab Sep 26, 2008

leethal: Those are supposed to be swords: http://xkcd.com/303/

@lenary
Contributor
lenary commented on 4d9a7ab Oct 9, 2008

Cons: pubes in your keyboard!
Pros: Easier to have sex during tests!

Please sign in to comment.