Preventing accidental serialization of ActiveRecord models

Documentation Developer Guides
1

We’ve introduced a patch to prevent the accidental serialization of ActiveRecord models without specifying the fields to be serialized. This change ensures that we control which fields are included, avoiding potential issues with incomplete or excessive data being exposed.

By default, rendering an ActiveRecord model as JSON includes all attributes, which may not be desirable in many cases. To enforce better practices, we need to specify which fields should be serialized.

Usage Examples

Incorrect Usage:

def show
  @user = User.first
  render json: @user
end

In development and tests, this will result in:

ActiveRecordSerializationSafety::BlockedSerializationError:
Serializing ActiveRecord models (User) without specifying fields is not allowed.
Use a Serializer, or pass the :only option to #serializable_hash. More info: https://meta.discourse.org/t/-/314495    
./lib/freedom_patches/active_record_disable_serialization.rb:15:in `serializable_hash'

Correct Usage:

  1. Using a Serializer
class UserSerializer < ApplicationSerializer
  attributes :id, :email
end

def show
  @user = User.first
  render json: @user, serializer: UserSerializer
end
  1. Using the :only option
def show
  @user = User.first
  render json: @user.as_json(only: [:id, :email])
end
5 Likes
3

Just to clarify for those that may encounter this in the wild, this means that all uses of the serialization methods in ActiveModel::Serialization, e.g. as_json, regardless of context (including in specs), will result in an error unless you pass the only option. See further

https://apidock.com/rails/ActiveModel/Serializers/JSON/as_json

For an example see:

3 Likes