parse-stack-next 5.1.0 → 5.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 772e66e343ad34518fc37221d1a838a54cccea2df2df768528d82ba47bfb5666
-  data.tar.gz: efcac9f096ddbbedf78c3305b15094567e3f6ab94092621c263ccd428191d1c4
+  metadata.gz: bf1451bb2477254dffcd1758a04b44db981520e8662e34f077f34c58926b1c7b
+  data.tar.gz: 07165f4c4106e3d6a27a5a0a3822efcb7e8e57f9953b5f1ba2c5a4ff2975e439
 SHA512:
-  metadata.gz: 0bb36aad589b3dbe9a447f199b817bf4af9db906a2691de3f92a655204dcfa67decf454c910b80b35269862db40dbc590ce82fe21656b91e197f6e1c59494397
-  data.tar.gz: 5829b94978f92be9ab13fce27b4803b9c28b780ce6071be47dd1187d2ee2aeed98eb44efc5ac2f553f8de8f508be454505c68f8a76d3921f2beda47b234eb406
+  metadata.gz: 2fe51d5af265832b6b08053da792911b4c79db36e3dab1c3e1ec2383984c13354ee740c56587eca4a91081bdfddb0f73fe1d1cf14b5a33be85468836df95c181
+  data.tar.gz: 1ad6fdd0ede5db83526730cc4ae103be228085cbf2ae3819431e6f11faae4cac6b66b037a81d20fc50e2b0c375eae70eb590647fc295543b6097079d8548d408

data/CHANGELOG.md

@@ -1,5 +1,46 @@
 ## parse-stack-next Changelog
 
+### 5.1.1
+
+#### Suppress spurious className-mismatch warnings for system-class underscore aliases
+
+Parse Server stores its built-in classes under leading-underscore names
+(`_User`, `_Role`, `_Session`, `_Installation`) while the SDK and model
+declarations refer to them without the underscore (`User`, `Role`, and so
+on). These are the same class, but five className-mismatch warn sites
+compared the two forms as raw strings, so building a server-sent pointer for
+a `belongs_to :user` association (for example `Parse::Installation#user`,
+added in 5.1.0) logged a pair of harmless-but-noisy warnings such as
+`expected className="User", ignoring incoming className="_User"` on every
+read. Autoload order contributed: when an association is declared,
+`Parse::User` may not yet be registered, so the captured class name falls
+back to `"User"` rather than `"_User"`.
+
+- **FIXED**: Building a pointer whose declared class and incoming class differ
+  only by Parse Server's leading-underscore system prefix (`User`/`_User`,
+  `Role`/`_Role`, `Session`/`_Session`, `Installation`/`_Installation`) no
+  longer emits a className-mismatch warning. `Parse::Object.build`,
+  `Array#parse_objects`, the `belongs_to` getter and setter, and the
+  `has_many` relation builder now treat the two forms as the same class.
+  (`lib/parse/model/object.rb`,
+  `lib/parse/model/associations/belongs_to.rb`,
+  `lib/parse/model/associations/has_many.rb`)
+- **NEW**: `Parse::Model.same_parse_class?(a, b)` returns true when two Parse
+  class-name strings denote the same class — string-equal, related by exactly
+  one Parse Server system-prefix underscore, or both resolving to the same
+  registered `Parse::Object` subclass (covering custom `parse_class` table
+  mappings). This is the canonical equality the warn sites now gate on.
+  (`lib/parse/model/model.rb`)
+- **CHANGED**: The className-mismatch type-confusion guard is preserved. A
+  pointer to a genuinely different class shoved into a typed slot (for example
+  a `_Session` or `_Role` pointer in a `User`-typed association, whether from
+  hostile server JSON or mass assignment) still produces the warning, because
+  distinct classes — `nil`, and malformed names that differ by more than a
+  single system-prefix underscore such as `__User` — continue to compare
+  unequal. The warning is advisory: every call site builds the object from the
+  declared class regardless of the incoming className, so the equality check
+  only governs whether the mismatch is logged.
+
 ### 5.1.0
 
 #### `Parse::File` — URL normalization, presigned-URL stash, leak hardening

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    parse-stack-next (5.1.0)
+    parse-stack-next (5.1.1)
       activemodel (>= 6.1, < 9)
       activesupport (>= 6.1, < 9)
       connection_pool (>= 2.2, < 4)

data/lib/parse/model/associations/belongs_to.rb

@@ -189,7 +189,7 @@ module Parse
               # prevents type confusion where a pointer to a different class
               # (e.g. _Session or _Role) gets shoved into a typed slot.
               incoming_class = val[Parse::Model::KEY_CLASS_NAME]
-              if incoming_class && incoming_class != klassName
+              if incoming_class && !Parse::Model.same_parse_class?(incoming_class, klassName)
                 warn "[#{self.class}] belongs_to :#{association_key} expected className=#{klassName.inspect}, ignoring incoming className=#{incoming_class.inspect}"
               end
               val = Parse::Object.build val, klassName, fetched_keys: nested_keys
@@ -229,7 +229,7 @@ module Parse
               nested_keys = nested_keys_for(key)
               # Always trust declared klassName over incoming hash className.
               incoming_class = val[Parse::Model::KEY_CLASS_NAME]
-              if incoming_class && incoming_class != klassName
+              if incoming_class && !Parse::Model.same_parse_class?(incoming_class, klassName)
                 warn "[#{self.class}] belongs_to :#{key} expected className=#{klassName.inspect}, ignoring incoming className=#{incoming_class.inspect}"
               end
               val = Parse::Object.build val, klassName, fetched_keys: nested_keys

data/lib/parse/model/associations/has_many.rb

@@ -533,7 +533,7 @@ module Parse
             # Prevents type-confusion attacks that would mark this relation
             # proxy as a different parse_class than the model declared.
             if val.is_a?(Hash) && val[Parse::Model::KEY_CLASS_NAME] &&
-               val[Parse::Model::KEY_CLASS_NAME] != klassName &&
+               !Parse::Model.same_parse_class?(val[Parse::Model::KEY_CLASS_NAME], klassName) &&
                %w[Relation].include?(val["__type"])
               warn "[#{self.class}] has_many :#{key} expected className=#{klassName.inspect}, ignoring incoming className=#{val[Parse::Model::KEY_CLASS_NAME].inspect}"
             end

data/lib/parse/model/model.rb

@@ -204,6 +204,47 @@ module Parse
         result
       end
     end
+
+    # Whether two Parse class-name strings denote the same class. This is the
+    # canonical equality used to suppress spurious className-mismatch warnings.
+    # Two names are the same class when they are string-equal, when one is the
+    # leading-underscore system form of the other (+User+ <-> +_User+, +Role+
+    # <-> +_Role+, +Installation+ <-> +_Installation+, +Session+ <->
+    # +_Session+), or when both resolve to the same registered +Parse::Object+
+    # subclass (covers custom +parse_class+ table mappings).
+    #
+    # The underscore rule is what makes the comparison correct independent of
+    # autoload order — at declaration time {find_class} may not yet have
+    # +Parse::User+ registered (so a +belongs_to :user+ captures +"User"+
+    # rather than +"_User"+), but the server always emits the +_User+ storage
+    # form, and both denote the same class. The rule matches exactly one
+    # system prefix underscore, so a malformed +"__User"+ is not conflated
+    # with +"_User"+.
+    #
+    # These warnings are an ADVISORY type-confusion signal, not the
+    # enforcement mechanism: every call site that consults this method builds
+    # the resulting object from the declared/trusted class regardless of the
+    # incoming className (see +Parse::Object.build+, which always uses the
+    # +table+ argument the caller passes). A false-positive here can therefore
+    # only suppress a log line — it can never route a pointer of the wrong
+    # class into a typed slot. Distinct classes still compare unequal (+User+
+    # vs +_Session+, +User+ vs +_Role+, and +nil+), so a genuinely mismatched
+    # pointer still surfaces in logs.
+    #
+    # @param a [String, Symbol, nil] a Parse class name.
+    # @param b [String, Symbol, nil] a Parse class name.
+    # @return [Boolean] true when both names denote the same Parse class.
+    def self.same_parse_class?(a, b)
+      return true if a == b
+      return false if a.nil? || b.nil?
+      a = a.to_s
+      b = b.to_s
+      return true if a == b
+      return true if (a == "_#{b}" && !b.start_with?("_")) ||
+                     (b == "_#{a}" && !a.start_with?("_"))
+      ka = find_class(a)
+      !ka.nil? && ka == find_class(b)
+    end
   end
 end
 

data/lib/parse/model/object.rb

@@ -1749,7 +1749,7 @@ module Parse
         className = parse_class
       end
       className ||= incoming_class
-      if className && incoming_class && incoming_class != className
+      if className && incoming_class && !Parse::Model.same_parse_class?(incoming_class, className)
         warn "[Parse::Object.build] expected className=#{className.inspect}, ignoring incoming className=#{incoming_class.inspect}"
       end
       if json.is_a?(Hash) && json["error"].present? && json["code"].present?
@@ -2094,7 +2094,7 @@ class Array
                      # Caller knows the type; warn on mismatch but always
                      # use the declared className.
                      incoming = m[f] || m[:className]
-                     if incoming && incoming != className
+                     if incoming && !Parse::Model.same_parse_class?(incoming, className)
                        warn "[Parse::Array#parse_objects] expected className=#{className.inspect}, ignoring incoming className=#{incoming.inspect}"
                      end
                      className

data/lib/parse/stack/version.rb

@@ -6,6 +6,6 @@ module Parse
   # The Parse Server SDK for Ruby
   module Stack
     # The current version.
-    VERSION = "5.1.0"
+    VERSION = "5.1.1"
   end
 end

data/lib/parse/webhooks/payload.rb

@@ -253,7 +253,8 @@ module Parse
         expected = parse_class
         return false if expected.nil?
         [@object, @original, @update].any? do |h|
-          h.is_a?(Hash) && h["className"] && h["className"] != expected
+          h.is_a?(Hash) && h["className"] &&
+            !Parse::Model.same_parse_class?(h["className"], expected)
         end
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: parse-stack-next
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 5.1.1
 platform: ruby
 authors:
 - Anthony Persaud