ActiveRecord::AttributeMethods #respond_to?

I have a model class

class Foo < ActiveRecord::Base   attr_protected :bar end

I would think that Foo.new.respond_to?(:bar) would be false, but it returns true. This is because the definition of :respond_to? checks whether @attributes.include?(method_name), but doesn't take attribute protection into account.

Foo thus does not abide by the general contract of respond_to?: "respond_to?(:baz) returns true if and only if call(:baz) does not raise a NoMethodError."

Will fixing this break tons and tons of code?

I would think that Foo.new.respond_to?(:bar) would be false, but it returns true.

It should be true as the Foo instance responds to a method called bar.

This is because the definition of :respond_to? checks whether @attributes.include?(method_name), but doesn't take attribute protection into account.

It doesn't check attributes, it checks the actual methods on the object. It is independent of Rails.

Foo thus does not abide by the general contract of respond_to?: "respond_to?(:baz) returns true if and only if call(:baz) does not raise a NoMethodError."

Hu? Foo.new *has* a bar method. It just doesn't allow you to set it in mass-assignment.

Jonathan

Sorry, you're right. I phrased my question wrong. Let's try this:

class Foo < ActiveRecord::Base

  private

  # really protect attribute bar   def bar     read_attribute :bar   end   def bar=(val)     write_attribute :bar, val   end

end

Now Foo.new.respond_to?(:bar) really _should_ return false, but it doesn't. This method isn't checked before @attributes is.

-Gaius

class Foo < ActiveRecord::Base

private

# really protect attribute bar def bar    read_attribute :bar end def bar=(val)    write_attribute :bar, val end

end

Now Foo.new.respond_to?(:bar) really _should_ return false

respond_to? is a Ruby core object method, it's not implemented by Rails.

It _is_ a core Ruby object, with a contract defined in Object. The problem is that Rails overrides that definition, accounting for ActiveRecord attributes. (It _should_ override, since it overrides method_missing.)

All I'm saying is that the override devined in ActiveRecord::AttributeMethods is inconsistent with the core Ruby contract.

-Gaius

This is because the definition of :respond_to? checks whether @attributes.include?(method_name), but doesn't take attribute protection into account.

It doesn't check attributes, it checks the actual methods on the object. It is independent of Rails.

Well, not really. ActiveRecord does override #respond_to? to take attributes into account (the "actual methods" are defined lazily).

Foo thus does not abide by the general contract of respond_to?: "respond_to?(:baz) returns true if and only if call(:baz) does not raise a NoMethodError."

Hu? Foo.new *has* a bar method. It just doesn't allow you to set it in mass-assignment.

I agree. The current behavior is the same as the pure-Ruby one:

$ irb irb(main):001:0> class Foo irb(main):002:1> def bar irb(main):003:2> end irb(main):004:1> protected :bar irb(main):005:1> end => Foo irb(main):006:0> Foo.new.respond_to? :bar => true

Ok, but what about

$ irb irb(main):001:0> class Foo irb(main):002:1> def bar irb(main):003:2> end irb(main):004:1> private:bar irb(main):005:1> end => Foo irb(main):006:0> Foo.new.respond_to? :bar => false

-Gaius

Well, we are talking about attr_protected, right?

No, sorry. I'm trying to _truly_ make an attribute private. I want nobody but my instance (self) to be able to access this attribute. There's nothing like attr_private to my knowledge, though, so I declared private methods.

The problem is the basic order of the way ActiveRecord redefines :respond_to?

1. if regular respond_to? true, then return true 2. if matches an attribute, return true 3. return regular respond_to?

There's no way for me to _prevent_ an attribute from being exposed publicly as far as respond_to? is concerned.

-Gaius

No, sorry. I'm trying to _truly_ make an attribute private. I want nobody but my instance (self) to be able to access this attribute. There's nothing like attr_private to my knowledge, though, so I declared private methods.

I'd question *why* you want that to be completely private, what is it you're hoping to achieve. Users of your code will *always* be able to call your method, there's simply no way for you to stop them:

@object.__send__(:your_secret_method) # PWN3D!!!!

There's currently no way to mark an attribute as private, and we could probably add that as an enhancement, but I'm a little confused what the use case is.

This is slightly tangential, but since we're on the subject, I'd like to point out a related issue with private methods. It's early, and I'm still working on my first cup of coffee, so please just ignore me if I'm too off topic here :). The problem I am seeing is that a private method works as expected when called directly on an object, but when the object is accessed through an association_proxy 'private' is ignored (because the association_proxy is 'send'ing on method_missing).

Here's an example:

Class User < AR::Base   private   def secret_stuff ; "foo" end end

Class Purchase < AR::Base   has_one :user end

User.first.secret_stuff

=> NoMethodError: private method `secret_stuff' called for #<User: 0x3d446dc> # as expected

Purchase.first.user.secret_stuff

=> "foo" # d'oh!

Because the association_proxy does a blind send, the privacy check is bypassed. When I first came across this, it really threw me for a loop -- in one context my 'private' declaration was working fine and dandy, and in another, it was being ignored! I wanted to use 'private' because I had just modified my class in such a way that it made sense, encapsulation-wise, to only have the class itself access the particular method. I wasn't looking for true protection against malicious code, I just wanted to verify my encapsulation properties and find code that was violating those properties. In the end I decided it wasn't worth the effort to make the two code paths behave the same so instead I did a manual code comb to find outside classes who were accessing my private method.

So, I guess I'm just offering this as another data point. It's another place where the rails metaprogramming slightly modifies the expected behavior of the underlying code. I don't think this is a major problem or anything, just thought it fit in with the current topic. Maybe this behavior is covered in the docs and I just missed it?

Cheers, acechase

acechase: I think your case is different, but extremely close to the issue I'm getting at. Thank you for bringing it up.

Koz: are you prepared to argue that Ruby shouldn't have private methods at all because programmers can get around them with __send__? I want to make a method private so other programmers don't do stupid stuff. I want it to be one more thing in the way of writing insecure, unreliable code. There's no such thing as bulletproof code, but if I can add more padding without adding conceptual weight, I'm all for it.

Also, I'd just like Rails Models to act like normal Ruby Objects.

-Gaius

Gaius,

I applaud your desire to be safe with your user's information and protect them from inadvertent programming errors. On my website, we have a forum where sensitive matters are frequently discussed and so we provide our users the option of posting anonymously. Of course, we still need to know who posted it so that they can edit it later so I had a similar conundrum that you're facing now. I didn't want to ever let a developer accidentally reveal their identity when the anonymous flag was set on their post. So I did little meta-programming to allow me to make the user and user_id nil when the post was anonymous, but still have access to the information through aliased methods if we needed it.

http://gist.github.com/8654

Ruby on rails is great, but so is Ruby itself, and with a little diligence, we can bend the world to our will to achieve a desired API.

-chris

P.S. For those not inclined to click through here's the rough sketch: # == Schema Information

Koz: are you prepared to argue that Ruby shouldn't have private methods at all because programmers can get around them with __send__? I want to make a method private so other programmers don't do stupid stuff. I want it to be one more thing in the way of writing insecure, unreliable code. There's no such thing as bulletproof code, but if I can add more padding without adding conceptual weight, I'm all for it.

No, my point is simply that whatever safety you think you're receiving by fixing this respond_to? block is no substitute for code review. While this is definitely strange behaviour and a little counter intuitive I can't imagine a situation where you'd actually have a security issue caused by this code. I find it hard to think a developer will be sitting in an irb session saying "does this respond_to? :foo" rather than looking at the source to that model to find the method they want

If you'd like to submit a patch for respond_to to check the private / public status of methods defined by attributes, I'd be happy to apply it.

User.first.secret_stuff

=> NoMethodError: private method `secret_stuff' called for #<User: 0x3d446dc> # as expected

Purchase.first.user.secret_stuff

=> "foo" # d'oh!

Yeah, this is also a bug. If you want to whip up a patch for it, I'll gladly apply it.

Also, I'd just like Rails Models to act like normal Ruby Objects.

It would be pretty weird to make attr_accessor methods private in a normal Ruby object, since the writer method could never be called except with a self.send. If some field was meant to be private, you'd probably just use the instance variables directly and not have reader or writer methods at all.

It seems like the closest analog in Active Record would be to not define reader and writer methods for the attribute, only exposing it via read_attribute and write_attribute (and and =).

-hume.

John, this is a _fantastic_ point. It's certainly true that there would be no way to use the "setter" half of a private attr_accessor in a regular Ruby object:

self.bar = 'baz' # violates private bar = 'baz' # sets a local variable

But you can use the "getter" half:

return bar.dup # return a defensive copy of the instance variable

I consider Ruby's definition of "private" fairly crippled, but that's not the fault of the Rails community, nor can they (we?) do much about it.

Maybe my actual use case will help clear up why I want a private attribute. I have a single-table-inheritance model:

table products:   integer version   string name

class Product < ActiveRecord::Base   attr_private :version # if such a method existed end

class VersionedProduct < Foo   attr_accessor :version # reveal the method end

I wouldn't normally ask this list for usage advice, but perhaps this case will inform design.

Thanks, Gaius

John, this is a _fantastic_ point. It's certainly true that there would be no way to use the "setter" half of a private attr_accessor in a regular Ruby object:

self.bar = 'baz' # violates private bar = 'baz' # sets a local variable

But you can use the "getter" half:

return bar.dup # return a defensive copy of the instance variable

I consider Ruby's definition of "private" fairly crippled, but that's not the fault of the Rails community, nor can they (we?) do much about it.

I still think you misunderstand and mix Ruby's private and Rails' attr_protected/attr_accessible.

class A   private   def foo     "foo"   end end

a = A.new a.foo

NoMethodError: private method `foo' called for #<A:0x6bae4>

So no crippling here. Note that you can still access foo if you really wan:

a.send(:foo) => "foo"

This is Ruby where we WANT to be able to do things like that.

Rails' attr_protected/attr_accessible are only there to protect you from mass-assignment and have noting to do with private/protected. Ruby's attr_accessor :foo will just create a getter and setter for you if you are too lazy.

Maybe my actual use case will help clear up why I want a private attribute. I have a single-table-inheritance model:

table products: integer version string name

class Product < ActiveRecord::Base attr_private :version # if such a method existed end

class VersionedProduct < Foo attr_accessor :version # reveal the method end

I wouldn't normally ask this list for usage advice, but perhaps this case will inform design.

The simple answer is: Just don't call version on products! It's your code and you know where you use it.

If you really want to stop using version:

class Product < ActiveRecord::Base

  def version     raise 'private'   end

end

class VersionedProduct < Product

  def version     attributes[:version]   end

end

You could do the same for the setter or even write your attr_private method that will generate the getters/setters.

But again, I see no point in doing so.

Jonathan

Jonathan Weiss said, <<< The simple answer is: Just don't call version on products! It's your code and you know where you use it.

It's my code right now, but not after I leave and some other coder gets assigned to the project. I want to help future maintainers prevent accidents. In Java, this sort of defensive programming is very easy.

I want the protection offered by attr_protected (or the lack of attr_accessible) AND the protection offered by restricted visibility. I want the most protection I can possibly get without making the code impossible to read.

All I'm saying is that Rails doesn't respect Ruby's native visibility. John Hume brought up an even more important example of this.

-Gaius

All I'm saying is that Rails doesn't respect Ruby's native visibility. John Hume brought up an even more important example of this.

As I mentioned earlier in the thread, these are both valid points and you should send us a patch for them. While I may not agree with you about the use of private for this purpose, you're right that there's no valid reason to misbehave here, and there's no downside to doing so.