Restrict serializable_hash to accepted options

bf4 · bf4 · commit 2f68ab4cc8bb · 2016-04-11T14:28:40.000-05:00
diff --git a/lib/active_model/serializer.rb b/lib/active_model/serializer.rb
@@ -18,6 +18,7 @@
 # reified when subclassed to decorate a resource.
 module ActiveModel
   class Serializer
+    SERIALIZABLE_HASH_VALID_KEYS = [:only, :except, :methods, :include, :root].freeze
     extend ActiveSupport::Autoload
     autoload :Adapter
     autoload :Null
diff --git a/lib/active_model_serializers/adapter/attributes.rb b/lib/active_model_serializers/adapter/attributes.rb
@@ -8,7 +8,7 @@ def initialize(serializer, options = {})
       end
 
       def serializable_hash(options = nil)
-        options ||= {}
+        options = serialization_options(options)
 
         if serializer.respond_to?(:each)
           serializable_hash_for_collection(options)
diff --git a/lib/active_model_serializers/adapter/base.rb b/lib/active_model_serializers/adapter/base.rb
@@ -19,6 +19,8 @@ def cached_name
         @cached_name ||= self.class.name.demodulize.underscore
       end
 
+      # Subclasses that implement this method must first call
+      #   options = serialization_options(options)
       def serializable_hash(_options = nil)
         fail NotImplementedError, 'This is an abstract method. Should be implemented at the concrete adapter.'
       end
@@ -41,6 +43,10 @@ def cache_check(serializer)
 
       private
 
+      def serialization_options(options)
+        (options ||= {}).slice(*ActiveModel::Serializer::SERIALIZABLE_HASH_VALID_KEYS) # rubocop:disable Lint/UselessAssignment
+      end
+
       def meta
         instance_options.fetch(:meta, nil)
       end
diff --git a/lib/active_model_serializers/adapter/json.rb b/lib/active_model_serializers/adapter/json.rb
@@ -2,7 +2,7 @@ module ActiveModelSerializers
   module Adapter
     class Json < Base
       def serializable_hash(options = nil)
-        options ||= {}
+        options = serialization_options(options)
         serialized_hash = { root => Attributes.new(serializer, instance_options).serializable_hash(options) }
         self.class.transform_key_casing!(serialized_hash, instance_options)
       end
diff --git a/test/adapter_test.rb b/test/adapter_test.rb
@@ -14,6 +14,17 @@ def test_serializable_hash_is_abstract_method
       end
     end
 
+    def test_serialization_options_ensures_option_is_a_hash
+      adapter = Class.new(ActiveModelSerializers::Adapter::Base) do
+        def serializable_hash(options = nil)
+          serialization_options(options)
+        end
+      end.new(@serializer)
+      assert_equal({ only: [:name] }, adapter.serializable_hash(only: [:name]))
+      assert_equal({}, adapter.serializable_hash(nil))
+      assert_equal({}, adapter.serializable_hash({}))
+    end
+
     def test_serializer
       assert_equal @serializer, @adapter.serializer
     end
