jrochkind
commented
1 month ago Very nice! More code than I expected to replace ransack searching -- but I see we had a lot of it before ANYWAY, becuase we were doing non-standard ransack things like jsonb searches anyway, we've just moved it around.
The search phrase is sanitized. I don't believe it was before.
Hm.... in many cases ActiveRecord will santize for us. .where(something: value) should be sanitized for us, as will .where("something operator ?", value). You only need to sanitize yourself if you are constructing SQL yourself, say with ruby string interpolation (instead of passing a value to an AR method), like something > #{my_value} -- that would need explicit sanitization.
I'm worried if you sanitize where not required, it could result in a "double escaping" issue for some input. I'm not actually sure where you added the sanitization, can we look at it and/or find a way to test it to ensure it's needed?
returning a permitted strongparams object
I don't think actually required -- strongparams is for when you're like taking ALL of the input params and giving them to something that's going to use everything that's there. When you are explicitly choosing keys like params[:some_key] it's not required -- but also shouldn't hurt?
eddierubeiz
Ref https://github.com/sciencehistory/scihist_digicoll/issues/2450
We were only using Ransack in two controllers. This takes care of the second one: the admin works controller.
Controller changes
sort_link_makermethod creates the link factory;index_paramsmethod validates and sanitizes params, returning a permittedstrongparamsobject;#indexmethod now;q_parent_id_nullis now namedinclude_child_works).Other changes
Workmodel;Note This PR depends on #2744, which took care of the collections controller.