diff options
| author | Robert Speicher <rspeicher@gmail.com> | 2017-09-18 23:18:51 -0400 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2017-12-19 15:45:07 -0600 |
| commit | 32ff813d3dccef6378361dff599eca44b05f46d4 (patch) | |
| tree | aa5ef5e4ae4c8c10029ffc483527584240dc7d84 | |
| parent | 5b880f0d36b082a0b443c5fe95f51a84dee27475 (diff) | |
| download | gitlab-ce-32ff813d3dccef6378361dff599eca44b05f46d4.tar.gz | |
Add BlocksJsonSerialization model concern and include it in User
| -rw-r--r-- | app/models/concerns/blocks_json_serialization.rb | 14 | ||||
| -rw-r--r-- | app/models/user.rb | 1 | ||||
| -rw-r--r-- | spec/models/concerns/blocks_json_serialization_spec.rb | 17 | ||||
| -rw-r--r-- | spec/models/user_spec.rb | 1 |
4 files changed, 33 insertions, 0 deletions
diff --git a/app/models/concerns/blocks_json_serialization.rb b/app/models/concerns/blocks_json_serialization.rb new file mode 100644 index 00000000000..cb70c22e207 --- /dev/null +++ b/app/models/concerns/blocks_json_serialization.rb @@ -0,0 +1,14 @@ +# Overrides `as_json` and `to_json` to raise an exception when called in order +# to prevent accidentally exposing attributes +# +# Not that that would ever happen... but just in case. +module BlocksJsonSerialization + extend ActiveSupport::Concern + + def to_json + raise SecurityError, + "JSON serialization has been disabled on #{self.class.name}" + end + + alias_method :as_json, :to_json +end diff --git a/app/models/user.rb b/app/models/user.rb index 51941f43919..b52f17cd6a8 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -18,6 +18,7 @@ class User < ActiveRecord::Base include CreatedAtFilterable include IgnorableColumn include BulkMemberAccessLoad + include BlocksJsonSerialization DEFAULT_NOTIFICATION_LEVEL = :participating diff --git a/spec/models/concerns/blocks_json_serialization_spec.rb b/spec/models/concerns/blocks_json_serialization_spec.rb new file mode 100644 index 00000000000..84f8ccc238e --- /dev/null +++ b/spec/models/concerns/blocks_json_serialization_spec.rb @@ -0,0 +1,17 @@ +require 'rails_helper' + +describe BlocksJsonSerialization do + DummyModel = Class.new do + include BlocksJsonSerialization + end + + it 'blocks as_json' do + expect { DummyModel.new.to_json } + .to raise_error(SecurityError, "JSON serialization has been disabled on DummyModel") + end + + it 'blocks to_json' do + expect { DummyModel.new.to_json } + .to raise_error(SecurityError, "JSON serialization has been disabled on DummyModel") + end +end diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 4687d9dfa00..e58e7588df0 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -12,6 +12,7 @@ describe User do it { is_expected.to include_module(Referable) } it { is_expected.to include_module(Sortable) } it { is_expected.to include_module(TokenAuthenticatable) } + it { is_expected.to include_module(BlocksJsonSerialization) } end describe 'delegations' do |