diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 6d45cc1d8a..46b3b1fa25 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,13 @@
+* Deprecate calling private model methods from view helpers.
+
+ For example, in methods like `options_from_collection_for_select`
+ and `collection_select` it is possible to call private methods from
+ the objects used.
+
+ Fixes #33546.
+
+ *Ana María Martínez Gómez*
+
* Fix issue with `button_to`'s `to_form_params`
`button_to` was throwing exception when invoked with `params` hash that
diff --git a/actionview/lib/action_view/helpers/form_options_helper.rb b/actionview/lib/action_view/helpers/form_options_helper.rb
index 7884a8d997..2b9d55a019 100644
--- a/actionview/lib/action_view/helpers/form_options_helper.rb
+++ b/actionview/lib/action_view/helpers/form_options_helper.rb
@@ -794,7 +794,7 @@ module ActionView
def extract_values_from_collection(collection, value_method, selected)
if selected.is_a?(Proc)
collection.map do |element|
- element.send(value_method) if selected.call(element)
+ public_or_deprecated_send(element, value_method) if selected.call(element)
end.compact
else
selected
@@ -802,7 +802,15 @@ module ActionView
end
def value_for_collection(item, value)
- value.respond_to?(:call) ? value.call(item) : item.send(value)
+ value.respond_to?(:call) ? value.call(item) : public_or_deprecated_send(item, value)
+ end
+
+ def public_or_deprecated_send(item, value)
+ item.public_send(value)
+ rescue NoMethodError
+ raise unless item.respond_to?(value, true) && !item.respond_to?(value)
+ ActiveSupport::Deprecation.warn "Using private methods from view helpers is deprecated (calling private #{item.class}##{value})"
+ item.send(value)
end
def prompt_text(prompt)
diff --git a/actionview/test/template/form_options_helper_test.rb b/actionview/test/template/form_options_helper_test.rb
index 8f796bdb83..8a0a706fef 100644
--- a/actionview/test/template/form_options_helper_test.rb
+++ b/actionview/test/template/form_options_helper_test.rb
@@ -21,7 +21,12 @@ class FormOptionsHelperTest < ActionView::TestCase
tests ActionView::Helpers::FormOptionsHelper
silence_warnings do
- Post = Struct.new("Post", :title, :author_name, :body, :secret, :written_on, :category, :origin, :allow_comments)
+ Post = Struct.new("Post", :title, :author_name, :body, :written_on, :category, :origin, :allow_comments) do
+ private
+ def secret
+ "This is super secret: #{author_name} is not the real author of #{title}"
+ end
+ end
Continent = Struct.new("Continent", :continent_name, :countries)
Country = Struct.new("Country", :country_id, :country_name)
Firm = Struct.new("Firm", :time_zone)
@@ -68,6 +73,14 @@ class FormOptionsHelperTest < ActionView::TestCase
)
end
+ def test_collection_options_with_private_value_method
+ assert_deprecated("Using private methods from view helpers is deprecated (calling private Struct::Post#secret)") { options_from_collection_for_select(dummy_posts, "secret", "title") }
+ end
+
+ def test_collection_options_with_private_text_method
+ assert_deprecated("Using private methods from view helpers is deprecated (calling private Struct::Post#secret)") { options_from_collection_for_select(dummy_posts, "author_name", "secret") }
+ end
+
def test_collection_options_with_preselected_value
assert_dom_equal(
"\n\n",