Closed JasonBarnabe closed 6 years ago
Rails 5.2 whitelists the format order('tablename.columnname')
but not order('"tablename"."columnname"')
or any other quoting in that form. We were using the quoted form.
@patricklindsay can you take a look at this PR?
@JasonBarnabe Build now failing after I merged this, which is weird because it had passed...
This is general flakiness where tests usually pass and sometimes don't. I try to fix these whenever I notice, but it seems to happen a lot more on CircleCI than locally.
@JasonBarnabe Thanks for the fixes. However I am still getting these deprecation warnings, even when I wrap all the custom_orders in Arel.sql. My code looks like this:
@books_grid = initialize_grid(
Book.all,
include: [:author],
order: 'authors.name',
custom_order: { 'authors.name' => Arel.sql('(authors.name, COALESCE(published_at, created_at))') },
)
When I visit the page I get these deprecation warnings:
DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "(authors.name, COALESCE(published_at, created_at)) asc". Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). (called from block in read at .../wice_grid-4f9a8ec507a2/lib/wice_grid.rb:366)
DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "(authors.name, COALESCE(published_at, created_at)) asc". Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). (called from block in active_relation_for_resultset_without_paging_with_user_filters at .../wice_grid-4f9a8ec507a2/lib/wice_grid.rb:647)
What am I doing wrong?
I am running WiceGrid master (gem 'wice_grid', '~> 4.1', github: 'patricklindsay/wice_grid'
) against Rails 5.2.4.1 with Ruby 2.4.1 and PostgreSQL 9.6.
@kreintjes I have no insight on the problem; I haven't touched this project in a long time.
Related to #11. Ref: https://github.com/rails/rails/pull/27947