Audited.current_user_method fails silently if specified method not defined

[arcreative]

Having some issues with the Audited.current_user_method configuration option falling back to to null user_id and user_type on audit entries when the method is not defined on the controller.

audited/lib/audited/sweeper.rb

Line 23 in dbf8432

lambda { controller.send(Audited.current_user_method) if controller.respond_to?(Audited.current_user_method, true) }

seems to be the offending line of code--the if statement should be omitted entirely, or alternatively, another exception should be raised that makes it more verbose than just a NoMethodError if the specified method is inaccessible.

This is a very concerning issue to encounter with a gem that has to do with risk and compliance, and I think this warrants a CVE being raised, as it affects the integrity/accountability that was intended by implementing this gem in the first place. Issues like this should cause a failure of some sort, and do so as early as possible.