From 4f6dfefe0ef396ecae853247b625df2437a2bf53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@gmail.com>
Date: Sun, 15 Nov 2009 11:17:40 -0200
Subject: [PATCH] Sanity check the serialized class.

---
 lib/devise/models/authenticatable.rb |  1 +
 test/models/authenticatable_test.rb  | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/lib/devise/models/authenticatable.rb b/lib/devise/models/authenticatable.rb
index 3e408db6..078e0c2a 100644
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@@ -93,6 +93,7 @@ module Devise
         # Hook to serialize user from session. Overwrite if you want.
         def serialize_from_session(keys)
           klass, id = keys
+          raise "#{self} cannot serialize from #{klass} session since it's not its ancestors" unless klass <= self 
           klass.find_by_id(id)
         end
       end
diff --git a/test/models/authenticatable_test.rb b/test/models/authenticatable_test.rb
index 7b7e0c87..1a4bda32 100644
--- a/test/models/authenticatable_test.rb
+++ b/test/models/authenticatable_test.rb
@@ -145,4 +145,17 @@ class AuthenticatableTest < ActiveSupport::TestCase
     user = create_user
     assert_equal user.id, User.serialize_from_session([User, user.id]).id
   end
+
+  test 'should not serialize another klass from session' do
+    user = create_user
+    assert_raise RuntimeError, /ancestors/ do
+      User.serialize_from_session([Admin, user.id])
+    end
+  end
+
+  test 'should serialize another klass from session' do
+    user = create_user
+    klass = Class.new(User)
+    assert_equal user.id, User.serialize_from_session([klass, user.id]).id
+  end
 end