Skip to content
Browse files

Ensure methods called on association proxies respect access control. [#…

…1083 state:resolved] [Adam Milligan, Pratik]
  • Loading branch information...
1 parent 42cbd71 commit 691aa20280456c332bfaaf69b58adc86fd86a2b8 @lifo lifo committed Oct 13, 2008
View
11 activerecord/lib/active_record/associations/association_proxy.rb
@@ -140,6 +140,15 @@ def inspect
@target.inspect
end
+ def send(method, *args)
+ if proxy_respond_to?(method)
+ super
+ else
+ load_target
+ @target.send(method, *args)
+ end
+ end
+
protected
# Does the association have a <tt>:dependent</tt> option?
def dependent?
@@ -197,6 +206,8 @@ def with_scope(*args, &block)
# Forwards any missing method call to the \target.
def method_missing(method, *args)
if load_target
+ raise NoMethodError unless @target.respond_to?(method)
+
if block_given?
@target.send(method, *args) { |*block_args| yield(*block_args) }
else
View
2 activerecord/lib/active_record/associations/has_one_association.rb
@@ -57,7 +57,7 @@ def replace(obj, dont_save = false)
protected
def owner_quoted_id
if @reflection.options[:primary_key]
- quote_value(@owner.send(@reflection.options[:primary_key]))
+ @owner.class.quote_value(@owner.send(@reflection.options[:primary_key]))
else
@owner.quoted_id
end
View
10 activerecord/test/cases/associations/belongs_to_associations_test.rb
@@ -428,4 +428,14 @@ def test_save_succeeds_for_invalid_belongs_to_with_validate_false
assert log.valid?
assert log.save
end
+
+ def test_belongs_to_proxy_should_not_respond_to_private_methods
+ assert_raises(NoMethodError) { companies(:first_firm).private_method }
+ assert_raises(NoMethodError) { companies(:second_client).firm.private_method }
+ end
+
+ def test_belongs_to_proxy_should_respond_to_private_methods_via_send
+ companies(:first_firm).send(:private_method)
+ companies(:second_client).firm.send(:private_method)
+ end
end
View
10 activerecord/test/cases/associations/has_one_associations_test.rb
@@ -349,4 +349,14 @@ def test_cant_save_readonly_association
assert companies(:first_firm).readonly_account.readonly?
end
+ def test_has_one_proxy_should_not_respond_to_private_methods
+ assert_raises(NoMethodError) { accounts(:signals37).private_method }
+ assert_raises(NoMethodError) { companies(:first_firm).account.private_method }
+ end
+
+ def test_has_one_proxy_should_respond_to_private_methods_via_send
+ accounts(:signals37).send(:private_method)
+ companies(:first_firm).account.send(:private_method)
+ end
+
end
View
10 activerecord/test/cases/associations/has_one_through_associations_test.rb
@@ -110,4 +110,14 @@ def test_assigning_association_correctly_assigns_target
new_member.club = new_club = Club.create(:name => "LRUG")
assert_equal new_club, new_member.club.target
end
+
+ def test_has_one_through_proxy_should_not_respond_to_private_methods
+ assert_raises(NoMethodError) { clubs(:moustache_club).private_method }
+ assert_raises(NoMethodError) { @member.club.private_method }
+ end
+
+ def test_has_one_through_proxy_should_respond_to_private_methods_via_send
+ clubs(:moustache_club).send(:private_method)
+ @member.club.send(:private_method)
+ end
end
View
6 activerecord/test/models/club.rb
@@ -4,4 +4,10 @@ class Club < ActiveRecord::Base
has_many :current_memberships
has_one :sponsor
has_one :sponsored_member, :through => :sponsor, :source => :sponsorable, :source_type => "Member"
+
+ private
+
+ def private_method
+ "I'm sorry sir, this is a *private* club, not a *pirate* club"
+ end
end
View
13 activerecord/test/models/company.rb
@@ -13,6 +13,12 @@ class Company < AbstractCompany
def arbitrary_method
"I am Jack's profound disappointment"
end
+
+ private
+
+ def private_method
+ "I am Jack's innermost fears and aspirations"
+ end
end
module Namespaced
@@ -129,9 +135,14 @@ def self.destroyed_account_ids
true
end
-
protected
def validate
errors.add_on_empty "credit_limit"
end
+
+ private
+
+ def private_method
+ "Sir, yes sir!"
+ end
end

0 comments on commit 691aa20

Please sign in to comment.
Something went wrong with that request. Please try again.