From 9055156668faa84821097e8fe324aaa1529abdfe Mon Sep 17 00:00:00 2001 From: George Claghorn Date: Wed, 2 Sep 2020 08:41:15 -0400 Subject: [PATCH] Override ActiveStorage.signed_id_verifier instead of assigning Guard against the case where ActiveStorage.verifier isn't yet initialized at load time. Yes, you're not supposed to load AR models in initializers, but it's easy to do accidentally as long as we don't prevent it. We should be resilient against it wherever practical. --- activestorage/app/models/active_storage/blob.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/activestorage/app/models/active_storage/blob.rb b/activestorage/app/models/active_storage/blob.rb index 2b792e6a97..1415e586bb 100644 --- a/activestorage/app/models/active_storage/blob.rb +++ b/activestorage/app/models/active_storage/blob.rb @@ -35,7 +35,6 @@ class ActiveStorage::Blob < ActiveRecord::Base include ActiveStorage::Blob::Representable self.table_name = "active_storage_blobs" - self.signed_id_verifier = ActiveStorage.verifier MINIMUM_TOKEN_LENGTH = 28 @@ -130,9 +129,17 @@ class ActiveStorage::Blob < ActiveRecord::Base end # Customize signed ID purposes for backwards compatibility. - def combine_signed_id_purposes(purpose) + def combine_signed_id_purposes(purpose) #:nodoc: purpose.to_s end + + # Customize the default signed ID verifier for backwards compatibility. + # + # We override the reader (.signed_id_verifier) instead of just calling the writer (.signed_id_verifier=) + # to guard against the case where ActiveStorage.verifier isn't yet initialized at load time. + def signed_id_verifier #:nodoc: + @signed_id_verifier ||= ActiveStorage.verifier + end end # Returns a signed ID for this blob that's suitable for reference on the client-side without fear of tampering.