Skip to main content

Ruby: All Your Method are Belong to Me

Ruby has a curious approach to protecting instance variables, constants, and private methods.

I've often heard Java programmers criticize Python because it doesn't enforce privacy in any way. Personally, I think that it'd be great if Python could be fully sandboxed like JavaScript can, but sandboxing is a completely separate topic. Preventing a programmer who works on my team from calling a method that I've named _private_method isn't all that interesting to me. If he sees the fact that I've named the method with a leading underscore, and he still feels the need to call it, so be it.

Ruby does provide private instance variables, constants, and private methods, but really, those are just suggestions.

For instance, if you override a constant, you just get a warning:
irb(main):001:0> A = 1
=> 1
irb(main):002:0> A = 2
(irb):2: warning: already initialized constant A
=> 2
irb(main):003:0> puts A
2
=> nil
If you have an object, and you want to call a private method, you can just inject a method into that object in order to get access to the private method:
class SuperSecret
private
def secret
puts "Wombats!"
end
end

obj = SuperSecret.new
begin
puts obj.secret
rescue
puts "Yep, it blocked me properly." # Yep, it gets blocked.
end

def obj.hack_the_secret
secret
end

obj.hack_the_secret # Prints "Wombats!"
You can use the same "inject a method" trick to get access to instance variables:
def obj.get_a
@a
end
In no way am I criticizing Ruby for this behavior. As I said, I think it's a bad situation if you can't trust your team members. I just wanted to point out that in Ruby, the protection mechanisms are really just suggestions ;)

Comments

Anonymous said…
You can also use instance_eval to get at instance variables:

obj.instance_eval { @a }
Tom said…
Or #send.

obj.send(:private_method)
jjinux said…
Wow, even #send doesn't enforce the constraints? That's crazy ;)
Anonymous said…
Well, given security constraints are not set you can call private java method (using reflection and setAccessible(boolean))
Anonymous said…
The intent in 1.9 is supposedly to switch it so that send does respect private vs non-private, and a different version (I think last I checked it was __send__) does not. The clearest way to get an instance variable, by the way, is instance_variable_get:

obj.instance_variable_get :@a

Similarly, you can set them via instance_variable_set. It turns out that the approach that it is `just a suggestion' is a common one in Ruby: show convention, but allow the programmer the flexibility to achieve what they want without getting in the way. In short, trust the programmer. This is a concept that is completely alien to Java's approach -- and that's why Java is usually better suited to the so-called `enterprise', where you often meet subpar coders who would blow entire cities up accidentally if they had the flexibility that Ruby provides.
jjinux said…
> Well, given security constraints are not set you can call private java method (using reflection and setAccessible(boolean))

That's so awesome ;) Thanks for the comment!
jjinux said…
> In short, trust the programmer.

I agree. Thanks for the comment ;)
Josh Peters said…
private, protected, and public have a purpose: they keep folks away from the unstable parts of your API.

It's a very, very good thing to have a means by which you can keep programmers from inadvertently depending on what should be refactorable. That's what we're doing when we declare something private, we're saying "it may go away in a .x revision"

Popular posts from this blog

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python. Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening.

The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for Bukkit s…

Apple: iPad and Emacs

Someone asked my boss's buddy Art Medlar if he was going to buy an iPad. He said, "I figure as soon as it runs Emacs, that will be the sign to buy." I think he was just trying to be funny, but his statement is actually fairly profound.

It's well known that submitting iPhone and iPad applications for sale on Apple's store is a huge pain--even if they're free and open source. Apple is acting as a gatekeeper for what is and isn't allowed on your device. I heard that Apple would never allow a scripting language to be installed on your iPad because it would allow end users to run code that they hadn't verified. (I don't have a reference for this, but if you do, please post it below.) Emacs is mostly written in Emacs Lisp. Per Apple's policy, I don't think it'll ever be possible to run Emacs on the iPad.

Emacs was written by Richard Stallman, and it practically defines the Free Software movement (in a manner of speaking at least). Stal…

JavaScript: Porting from react-css-modules to babel-plugin-react-css-modules (with Less)

I recently found a bug in react-css-modules that prevented me from upgrading react-mobx which prevented us from upgrading to React 16. Then, I found out that react-css-modules is "no longer actively maintained". Hence, whether I wanted to or not, I was kind of forced into moving from react-css-modules to babel-plugin-react-css-modules. Doing the port is mostly straightforward. Once I switched libraries, the rest of the port was basically:
Get ESLint to pass now that react-css-modules is no longer available.Get babel-plugin-react-css-modules working with Less.Get my Karma tests to at least build.Get the Karma tests to pass.Test things thoroughly.Fight off merge conflicts from the rest of engineering every 10 minutes ;) There were a few things that resulted in difficult code changes. That's what the rest of this blog post is about. I don't think you can fix all of these things ahead of time. Just read through them and keep them in mind as you follow the approach above.…