Sanity check the serialized class.

2022-11-09 12:18:31 -05:00 · 2009-11-15 11:17:40 -02:00 · 2009-11-15 11:17:40 -02:00 · 4f6dfefe0e
commit 4f6dfefe0e
parent 3805bf2f26
2 changed files with 14 additions and 0 deletions
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@ -93,6 +93,7 @@ module Devise
        # Hook to serialize user from session. Overwrite if you want.
        def serialize_from_session(keys)
          klass, id = keys
+          raise "#{self} cannot serialize from #{klass} session since it's not its ancestors" unless klass <= self 
          klass.find_by_id(id)
        end
      end
--- a/test/models/authenticatable_test.rb
+++ b/test/models/authenticatable_test.rb
@ -145,4 +145,17 @@ class AuthenticatableTest < ActiveSupport::TestCase
    user = create_user
    assert_equal user.id, User.serialize_from_session([User, user.id]).id
  end
+
+  test 'should not serialize another klass from session' do
+    user = create_user
+    assert_raise RuntimeError, /ancestors/ do
+      User.serialize_from_session([Admin, user.id])
+    end
+  end
+
+  test 'should serialize another klass from session' do
+    user = create_user
+    klass = Class.new(User)
+    assert_equal user.id, User.serialize_from_session([klass, user.id]).id
+  end
 end