33 lines
918 B
Ruby
33 lines
918 B
Ruby
# frozen_string_literal: true
|
|
|
|
# Overrides `#serializable_hash` to raise an exception when called without the `only` option
|
|
# in order to prevent accidentally exposing attributes.
|
|
#
|
|
# An `unsafe: true` option can also be passed in to bypass this check.
|
|
#
|
|
# `#serializable_hash` is used by ActiveModel serializers like `ActiveModel::Serializers::JSON`
|
|
# which overrides `#as_json` and `#to_json`.
|
|
#
|
|
module BlocksUnsafeSerialization
|
|
extend ActiveSupport::Concern
|
|
extend ::Gitlab::Utils::Override
|
|
|
|
UnsafeSerializationError = Class.new(StandardError)
|
|
|
|
override :serializable_hash
|
|
def serializable_hash(options = nil)
|
|
return super if allow_serialization?(options)
|
|
|
|
raise UnsafeSerializationError,
|
|
"Serialization has been disabled on #{self.class.name}"
|
|
end
|
|
|
|
private
|
|
|
|
def allow_serialization?(options = nil)
|
|
return false unless options
|
|
|
|
!!(options[:only] || options[:unsafe])
|
|
end
|
|
end
|