Derick Eddington wrote:

> Hi, this is my first post here.

Moin!

> Just how opaque can Ruby objects be made to be?  I'm aware of making private
> methods and that variables require accessor methods but I've seen the name and
> value of instance variables printed in objects' string representations.  Can
> the internals of Ruby objects be made completely invisible?  Can I make an
> object where having a reference to the object gives you ONLY the ability to
> call its desired-to-be-exposed methods and transfer the reference, and
> absolutely nothing else.  Meaning tricky things like:  evil = a.class.new()  or
>  evil = a._internal_[1].namespace["secret"]  can be made impossible?  Can I
> make a class that nullifies all public methods from base class Object?  Would
> this make it provably impossible to do anything other than call the public
> methods I make?

This is possible. It's commonly called a kernel-less Object:

See http://onestepback.org/index.cgi/Tech/Ruby/BlankSlate.rdoc -- 
however, I think, that with that Object you could still do 
Object.instance_method(:instance_eval).bind(BlankSlate.new).call {@foo}

I've implemented a KernellessObject that won't allow users to do that 
either. It's part of the evil-ruby project. (See 
http://evil.rubyforge.net). Let's demonstrate it:

irb(main):001:0> blank = KernellessObject.new
irb(main):002:0> Object.instance_method(:instance_eval).bind(blank).call 
{@foo = 5}
TypeError: bind argument must be an instance of Object

> I hope you get my drift.  The basic principle of capability-security is
> "authority with designation".  How much can I restrict what is designatable to
> Ruby code?

I think that most of it can't be done just yet. It would be very nice to 
have an extensive layer available for all this. I've also heard that 
some features of this are already being integrated into Ruby. 
(Facilities for hiding constants etc.)

You might want to have a look at $SAFE -- it lets you restrict the 
things that code can do. (For example it disallows any I/O operations.)

Regards,
Florian Gross