activklaus
commented
1 year ago Sorry, I wasn't precise enough. The query looked like this:
post.tagged_with('awesome', any: false, order_by_matching_tag_count: true)
After removing order_by_matching_tag_count: true the exception disappeared.
Although this makes sense in a logical way (when you look for items that are all tagged with the exact same tags you cannot order them by tag count) I think it is still in an issue because in a technical way the query should be perfectly valid. Yet, the gem builds a query that violates the Rails logic of safe queries by creating a query string that contains stringified potentially insuecure ("user-provided") values.
Trying to run something simple like
post.tagged_with('awesome')and keep getting
ActiveRecord::UnknownAttributeReference (Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "SELECT COUNT(taggings.*) AS taggings_count FROMtaggingsORDER BY taggings_count DESC".This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql().)When I run
post.tagged_with('awesome', any: true)everything works fine.
Running Rails 7 on Ruby 3, acts-as-taggable-on 9.0.1