Class: LcpRuby::VirtualFields::Types::ArrayOf

Inherits:

ActiveModel::Type::Value

Object
ActiveModel::Type::Value
LcpRuby::VirtualFields::Types::ArrayOf

show all

Defined in:: lib/lcp_ruby/virtual_fields/types/array_of.rb

Overview

AM::Attributes type wrapper that coerces URL params into an array of values typed by ‘inner` (default: identity).

Defensive posture (spec § 3 Security invariants):

* `nil` / blank      → []
* `Array`            → map each, but drop Hash/Parameters
                       elements before they reach AR
* `Hash`/`Parameters`/scalar → []  (no `Array(value)` fallback)

‘Array(hash)` is FORBIDDEN — it produces `[[k, v]]` pairs and propagates attacker-controlled keys into filter values. The explicit case dispatch matches the same defensive shape used by Rails strong parameters.

Spec: docs/design/page_filters_as_virtual_forms.md § 3 Security, acceptance test #16 (hash-attack defense).

Instance Attribute Summary collapse

#inner ⇒ Object readonly

Returns the value of attribute inner.

Instance Method Summary collapse

#cast(value) ⇒ Object
#initialize(inner = ActiveModel::Type::Value.new) ⇒ ArrayOf constructor

A new instance of ArrayOf.
#serialize(value) ⇒ Object

Constructor Details

#initialize(inner = ActiveModel::Type::Value.new) ⇒ `ArrayOf`

Returns a new instance of ArrayOf.

# File 'lib/lcp_ruby/virtual_fields/types/array_of.rb', line 26

def initialize(inner = ActiveModel::Type::Value.new)
  super()
  @inner = inner
end

Instance Attribute Details

#inner ⇒ `Object` (readonly)

Returns the value of attribute inner.



24
25
26

# File 'lib/lcp_ruby/virtual_fields/types/array_of.rb', line 24

def inner
  @inner
end

Instance Method Details

#cast(value) ⇒ `Object`

# File 'lib/lcp_ruby/virtual_fields/types/array_of.rb', line 31

def cast(value)
  return [] if value.nil?
  return [] if value.respond_to?(:empty?) && value.empty?
  return [] unless value.is_a?(Array)

  value.each_with_object([]) do |element, out|
    next if element.is_a?(Hash)
    next if defined?(ActionController::Parameters) && element.is_a?(ActionController::Parameters)
    out << @inner.cast(element)
  end
end

#serialize(value) ⇒ `Object`



43
44
45

# File 'lib/lcp_ruby/virtual_fields/types/array_of.rb', line 43

def serialize(value)
  Array(value)
end