search

patricklindsay / wice_grid

A Rails grid plugin to create grids with sorting, pagination, and (automatically generated) filters
http://wicegrid.herokuapp.com/
MIT License
33 stars 29 forks source link

Fix 'Dangerous query methods' deprecation in Rails 5.2 #41

Closed JasonBarnabe closed 6 years ago

JasonBarnabe commented 6 years ago

Related to #11. Ref: https://github.com/rails/rails/pull/27947

JasonBarnabe commented 6 years ago

Rails 5.2 whitelists the format order('tablename.columnname') but not order('"tablename"."columnname"') or any other quoting in that form. We were using the quoted form.

JasonBarnabe commented 6 years ago

@patricklindsay can you take a look at this PR?

patricklindsay commented 6 years ago

@JasonBarnabe Build now failing after I merged this, which is weird because it had passed...

JasonBarnabe commented 6 years ago

This is general flakiness where tests usually pass and sometimes don't. I try to fix these whenever I notice, but it seems to happen a lot more on CircleCI than locally.

JasonBarnabe commented 6 years ago

43

kreintjes commented 4 years ago

@JasonBarnabe Thanks for the fixes. However I am still getting these deprecation warnings, even when I wrap all the custom_orders in Arel.sql. My code looks like this:

@books_grid = initialize_grid(
      Book.all,
      include: [:author],
      order: 'authors.name',
      custom_order: { 'authors.name' => Arel.sql('(authors.name, COALESCE(published_at, created_at))') },
    )

When I visit the page I get these deprecation warnings:

DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "(authors.name, COALESCE(published_at, created_at)) asc". Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). (called from block in read at .../wice_grid-4f9a8ec507a2/lib/wice_grid.rb:366)
DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "(authors.name, COALESCE(published_at, created_at)) asc". Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). (called from block in active_relation_for_resultset_without_paging_with_user_filters at .../wice_grid-4f9a8ec507a2/lib/wice_grid.rb:647)

What am I doing wrong?

I am running WiceGrid master (gem 'wice_grid', '~> 4.1', github: 'patricklindsay/wice_grid') against Rails 5.2.4.1 with Ruby 2.4.1 and PostgreSQL 9.6.

JasonBarnabe commented 4 years ago

@kreintjes I have no insight on the problem; I haven't touched this project in a long time.