Merge pull request #310 from stripe/drj/t5176-legal-entity-override

Disallow directly overriding legal_entity
2025-12-07 00:00:35 -05:00 · 2015-10-02 12:12:09 -07:00 · 2015-10-02 12:12:09 -07:00 · 7d28eaab64
commit 7d28eaab64
parent 90c6eeb398 387edb5163
4 changed files with 45 additions and 3 deletions
--- a/lib/stripe/account.rb
+++ b/lib/stripe/account.rb
@ -27,6 +27,18 @@ module Stripe
      super(id, opts)
    end

+    def protected_fields
+      [:legal_entity]
+    end
+
+    def legal_entity
+      self['legal_entity']
+    end
+
+    def legal_entity=(_)
+      raise NoMethodError.new('Overridding legal_entity can cause cause serious issues. Instead, set the individual fields of legal_entity like blah.legal_entity.first_name = \'Blah\'')
+    end
+
    def deauthorize(client_id, opts={})
      opts = {:api_base => Stripe.connect_base}.merge(Util.normalize_opts(opts))
      response, opts = request(:post, '/oauth/deauthorize', { 'client_id' => client_id, 'stripe_user_id' => self.id }, opts)
--- a/lib/stripe/stripe_object.rb
+++ b/lib/stripe/stripe_object.rb
@ -210,9 +210,15 @@ module Stripe
      class << self; self; end
    end

+    def protected_fields
+      []
+    end
+
    def remove_accessors(keys)
+      f = protected_fields
      metaclass.instance_eval do
        keys.each do |k|
+          next if f.include?(k)
          next if @@permanent_attributes.include?(k)
          k_eq = :"#{k}="
          remove_method(k) if method_defined?(k)
@ -222,8 +228,10 @@ module Stripe
    end

    def add_accessors(keys, values)
+      f = protected_fields
      metaclass.instance_eval do
        keys.each do |k|
+          next if f.include?(k)
          next if @@permanent_attributes.include?(k)
          k_eq = :"#{k}="
          define_method(k) { @values[k] }
--- a/test/stripe/account_test.rb
+++ b/test/stripe/account_test.rb
@ -77,6 +77,24 @@ module Stripe
      a.save
    end

+    should 'disallow direct overrides of legal_entity' do
+      account = Stripe::Account.construct_from(make_account({
+        :keys => {
+          :publishable => 'publishable-key',
+          :secret => 'secret-key',
+        },
+        :legal_entity => {
+          :first_name => 'Bling'
+        }
+      }))
+
+      assert_raise NoMethodError do
+        account.legal_entity = {:first_name => 'Blah'}
+      end
+
+      account.legal_entity.first_name = 'Blah'
+    end
+
    should "be able to deauthorize an account" do
      resp = {:id => 'acct_1234', :email => "test+bindings@stripe.com", :charge_enabled => false, :details_submitted => false}
      @mock.expects(:get).once.returns(make_response(resp))
--- a/test/stripe/api_resource_test.rb
+++ b/test/stripe/api_resource_test.rb
@ -545,6 +545,10 @@ module Stripe
          :id => 'myid',
          :legal_entity => {
            :last_name => 'Smith',
+            :address => {
+              :line1 => "test",
+              :city => "San Francisco"
+            }
          }
        })

@ -552,12 +556,12 @@ module Stripe
          "#{Stripe.api_base}/v1/accounts/myid",
          nil,
          any_of(
-            'legal_entity[first_name]=Bob&legal_entity[last_name]=',
-            'legal_entity[last_name]=&legal_entity[first_name]=Bob'
+            'legal_entity[address][line1]=Test2&legal_entity[address][city]=',
+            'legal_entity[address][city]=&legal_entity[address][line1]=Test2'
          )
        ).returns(make_response({"id" => "myid"}))

-        acct.legal_entity = {:first_name => 'Bob'}
+        acct.legal_entity.address = {:line1 => 'Test2'}
        acct.save
      end