Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow lazy decrypted vault attributes to be referenced after a destroy #110

Merged
merged 1 commit into from
Sep 29, 2020
Merged

allow lazy decrypted vault attributes to be referenced after a destroy #110

merged 1 commit into from
Sep 29, 2020

Conversation

radditude
Copy link
Member

After destroying a record, ActiveRecord marks the in-memory object as frozen and unable to be altered. This was fine in older versions of Rails prior to the attributes API, and it's mostly fine now. However, if lazy decrypt is enabled and you need to access an encrypted attribute after the destroy happens -- for instance, as part of a dependent: :destroy chain -- vault-rails attempts to set the plaintext attribute on the frozen object, raising a "Can't modify frozen hash" error.

As a workaround, this PR ensures that attributes are decrypted before a destroy so the plain text values can be accessed by after-destroy hooks if needed.

Currently, I've set this as universal behavior, since being able to access encrypted attributes after a destroy was the default prior to #67. However, another possibility would be only enabling this behavior for specific attributes, via something along these lines:

vault_attribute :details,
  access_after_destroy: true

chrisarcand
chrisarcand approved these changes Sep 29, 2020
View reviewed changes
Copy link
Member

@chrisarcand chrisarcand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this workaround is very reasonable as a default, and defines behavior that was never guaranteed before anyway.

If there's some reason that it's undesirable to load lazy attributes on destroys, the inverse of your second option (forcing a destroy without loading the attributes) can be added later.

lib/vault/encrypted_model.rb Show resolved Hide resolved
@radditude
allow lazy decrypted vault attributes to be referenced after a destroy
b451a35 
After destroying a record, ActiveRecord marks the in-memory object as
frozen and unable to be altered. This is fine, unless lazy decrypt is
enabled and you need to access an encrypted attribute after the destroy
happens - for instance, as part of a dependent: :destroy chain.
In that case, vault-rails will attempt to set the plaintext attribute
_after_ the destroy, raising a "Can't modify frozen hash" error.

This commit ensures that encrypted attributes are always decrypted
prior to a destroy.
@radditude radditude force-pushed the radditude/access-attribute-after-destroy branch from c77c493 to b451a35 Compare September 29, 2020 17:52
@radditude radditude merged commit 90ea4db into master Sep 29, 2020
@radditude radditude deleted the radditude/access-attribute-after-destroy branch September 29, 2020 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisarcand chrisarcand chrisarcand approved these changes

@joekarl joekarl joekarl approved these changes

@beekus beekus Awaiting requested review from beekus

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@radditude @joekarl @chrisarcand