blacklight 7.25.1 → 7.25.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f5591ce042284ddde98c77e6027f09782e681195f31fc919870d3c5efd1dd029
-  data.tar.gz: ffaf195a0ce3b1ea7a5b2e5958c4cea4daaab81bc34b3075452f44858ff084d9
+  metadata.gz: 8c6c1570bf376880fa59c30420730762bf4694b4681856c9b367a6ecd2bb4bb7
+  data.tar.gz: 459f8098798a27f3474f2036143adc65d80955f16136cda54a2a244f86223003
 SHA512:
-  metadata.gz: 5ae17a8834d21cc7e0229846a7ec37bdeb8ff2f451abf06b9d399580dcffe0d924d80840789d2db9152c440266fb4a8fced5c9fc7f9ef397873af8f5d84a1740
-  data.tar.gz: 8c4a34218c70c030bc5622ac1e32d84ef5967f7ae3f84fc7b044ff2004922d3cbb78e74ff96ea7d4e0f4a3aedf95f57393bc3815c36c5e27958531d3f0b58ca4
+  metadata.gz: 2fee85026a8eff0f283ea7f4d8936248872cbe0e3e87793ecfc13d479f0233723db03fbc01d418f5e242899a909c115b104fd6b9a680a4d21c5132cfabf2d030
+  data.tar.gz: e0a50dbea2c14447fb1f43b77e1f36f0b93974bfba525af0a9f677252fa19f064a4efd37ef913cd917e4d0d063df3c1600523e8d98be94c15ad083a75c4d1944

data/.github/workflows/ruby.yml

@@ -43,7 +43,7 @@ jobs:
     - name: Run tests
       run: bundle exec rake ci
       env:
-        ENGINE_CART_RAILS_OPTIONS: '--skip-git --skip-listen --skip-spring --skip-keeps --skip-action-cable --skip-coffee --skip-test'
+        ENGINE_CART_RAILS_OPTIONS: '-a propshaft --skip-git --skip-listen --skip-spring --skip-keeps --skip-action-cable --skip-coffee --skip-test'
   test_bootstrap5:
     runs-on: ubuntu-latest
     strategy:

data/.rubocop.yml

@@ -39,6 +39,7 @@ Metrics/ClassLength:
     - "lib/blacklight/configuration.rb"
     - "lib/blacklight/search_builder.rb"
     - "lib/blacklight/search_state.rb"
+    - "lib/blacklight/search_state/filter_field.rb"
 
 Layout/LineLength:
   Max: 200

data/VERSION

@@ -1 +1 @@
-7.25.1
+7.25.2

data/app/components/blacklight/search_bar_component.rb

@@ -10,7 +10,7 @@ module Blacklight
     # rubocop:disable Metrics/ParameterLists
     def initialize(
       url:, params:,
-      advanced_search_url: nil,
+      advanced_search_url: nil, presenter: nil,
       classes: ['search-query-form'], prefix: nil,
       method: 'GET', q: nil, query_param: :q,
       search_field: nil, search_fields: nil, autocomplete_path: nil,
@@ -29,6 +29,10 @@ module Blacklight
       @autofocus = autofocus
       @search_fields = search_fields
       @i18n = i18n
+      return if presenter.nil?
+
+      Deprecation.warn(self, 'SearchBarComponent no longer uses a SearchBarPresenter, the presenter: param will be removed in 8.0. ' \
+        'Set advanced_search.enabled, autocomplete_enabled, and enable_search_bar_autofocus on BlacklightConfiguration')
     end
     # rubocop:enable Metrics/ParameterLists
 

data/app/controllers/concerns/blacklight/bookmarks.rb

@@ -75,12 +75,15 @@ module Blacklight::Bookmarks
 
     current_or_guest_user.save! unless current_or_guest_user.persisted?
 
-    success = @bookmarks.all? do |bookmark|
-      current_or_guest_user.bookmarks.where(bookmark).exists? || current_or_guest_user.bookmarks.create(bookmark)
+    bookmarks_to_add = @bookmarks.reject { |bookmark| current_or_guest_user.bookmarks.where(bookmark).exists? }
+    success = ActiveRecord::Base.transaction do
+      current_or_guest_user.bookmarks.create!(bookmarks_to_add)
+    rescue ActiveRecord::RecordInvalid
+      false
     end
 
     if request.xhr?
-      success ? render(json: { bookmarks: { count: current_or_guest_user.bookmarks.count } }) : render(plain: "", status: "500")
+      success ? render(json: { bookmarks: { count: current_or_guest_user.bookmarks.count } }) : render(json: current_or_guest_user.errors.full_messages, status: "500")
     else
       if @bookmarks.any? && success
         flash[:notice] = I18n.t('blacklight.bookmarks.add.success', count: @bookmarks.length)

data/app/helpers/blacklight/blacklight_helper_behavior.rb

@@ -79,7 +79,18 @@ module Blacklight::BlacklightHelperBehavior
   # Render the search navbar
   # @return [String]
   def render_search_bar
-    search_bar_presenter.render
+    if search_bar_presenter_class == Blacklight::SearchBarPresenter && partial_from_blacklight?(Blacklight::SearchBarPresenter.partial)
+      component_class = blacklight_config&.view_config(document_index_view_type)&.search_bar_component || Blacklight::SearchBarComponent
+      component_class.new(
+        url: search_action_url,
+        advanced_search_url: search_action_url(action: 'advanced_search'),
+        params: search_state.params_for_search.except(:qt),
+        search_fields: Deprecation.silence(Blacklight::ConfigurationHelperBehavior) { search_fields },
+        autocomplete_path: search_action_path(action: :suggest)
+      )
+    else
+      search_bar_presenter.render
+    end
   end
   deprecation_deprecate render_search_bar: "Call `render Blacklight::SearchBarComponent.new' instead"
 

data/app/helpers/blacklight/catalog_helper_behavior.rb

@@ -181,6 +181,7 @@ module Blacklight::CatalogHelperBehavior
   def render_document_main_content_partial(_document = @document)
     render partial: 'show_main_content'
   end
+  deprecation_deprecate render_document_main_content_partial: "Use \"render 'show_main_content'\" instead"
 
   ##
   # Should we display the sort and per page widget?

data/app/models/blacklight/icon.rb

@@ -55,7 +55,10 @@ module Blacklight
     def file_source
       raise Blacklight::Exceptions::IconNotFound, "Could not find #{path}" if file.blank?
 
-      file.source.force_encoding('UTF-8')
+      # Handle both Sprockets::Asset and Propshaft::Asset
+      data = file.respond_to?(:source) ? file.source : file.path.read
+
+      data.force_encoding('UTF-8')
     end
 
     def ng_xml
@@ -68,7 +71,10 @@ module Blacklight
       [icon_name, additional_options[:label_context]].compact.join('_')
     end
 
+    # @return [Sprockets::Asset,Propshaft::Asset]
     def file
+      return Rails.application.assets.load_path.find(path) if defined? Propshaft
+
       # Rails.application.assets is `nil` in production mode (where compile assets is enabled).
       # This workaround is based off of this comment: https://github.com/fphilipe/premailer-rails/issues/145#issuecomment-225992564
       (Rails.application.assets || ::Sprockets::Railtie.build_environment(Rails.application)).find_asset(path)

data/app/services/blacklight/search_service.rb

@@ -17,6 +17,10 @@ module Blacklight
       search_builder_class.new(self)
     end
 
+    def search_state_class
+      @search_state.class
+    end
+
     # a solr query method
     # @yield [search_builder] optional block yields configured SearchBuilder, caller can modify or create new SearchBuilder to be used. Block should return SearchBuilder to be used.
     # @return [Blacklight::Solr::Response] the solr response object

data/app/views/catalog/_previous_next_doc.html.erb

@@ -1 +1,2 @@
+<% Deprecation.warn(self, 'The partial _previous_next_doc.html.erb will be removed in 8.0. Render Blacklight::SearchContextComponent instead.') %>
 <%= render(Blacklight::SearchContextComponent.new(search_context: @search_context, search_session: search_session)) %>

data/app/views/catalog/_search_form.html.erb

@@ -1,4 +1,4 @@
-<%= warn "#{__file__} is a deprecated partial." %>
+<%= warn "#{__FILE__} is a deprecated partial." %>
 <%= render((blacklight_config&.view_config(document_index_view_type)&.search_bar_component || Blacklight::SearchBarComponent).new(
       url: search_action_url,
       advanced_search_url: search_action_url(action: 'advanced_search'),

data/app/views/catalog/_show_main_content.html.erb

@@ -1,4 +1,4 @@
-<%= render 'previous_next_doc' if @search_context && search_session['document_id'] == @document.id %>
+<%= render(Blacklight::SearchContextComponent.new(search_context: @search_context, search_session: search_session)) if search_session['document_id'] == @document.id %>
 
 <% @page_title = t('blacklight.search.show.title', document_title: Deprecation.silence(Blacklight::BlacklightHelperBehavior) { document_show_html_title }, application_name: application_name).html_safe %>
 <% content_for(:head) { render_link_rel_alternates } %>

data/app/views/catalog/show.html.erb

@@ -5,7 +5,7 @@
   </div>
 <% end %>
 
-<%= render_document_main_content_partial %>
+<%= render 'show_main_content' %>
 
 <% content_for(:sidebar) do %>
   <%= render_document_sidebar_partial @document %>

data/blacklight.gemspec

@@ -33,6 +33,7 @@ Gem::Specification.new do |s|
   s.add_dependency "i18n", '>= 1.7.0' # added named parameters
   s.add_dependency "ostruct", '>= 0.3.2'
   s.add_dependency "view_component", '~> 2.43'
+  s.add_dependency 'hashdiff'
 
   s.add_development_dependency "rsolr", ">= 1.0.6", "< 3"  # Library for interacting with rSolr.
   s.add_development_dependency "rspec-rails", "~> 5.0"

data/lib/blacklight/configuration.rb

@@ -296,7 +296,7 @@ module Blacklight
     property :enable_search_bar_autofocus, default: false
 
     BASIC_SEARCH_PARAMETERS = [:q, :qt, :page, :per_page, :search_field, :sort, :controller, :action, :'facet.page', :'facet.prefix', :'facet.sort', :rows, :format].freeze
-    ADVANCED_SEARCH_PARAMETERS = [:clause, :op].freeze
+    ADVANCED_SEARCH_PARAMETERS = [{ clause: {} }, :op].freeze
     # List the request parameters that compose the SearchState.
     # If you use a plugin that adds to the search state, then you can add the parameters
     # by modifiying this field.
@@ -305,6 +305,13 @@ module Blacklight
     # @return [Array<Symbol>]
     property :search_state_fields, default: BASIC_SEARCH_PARAMETERS + ADVANCED_SEARCH_PARAMETERS
 
+    # Have SearchState filter out unknown request parameters
+    #
+    # @!attribute filter_search_state_fields
+    # @since v8.0.0
+    # @return [Boolean]
+    property :filter_search_state_fields, default: false
+
     ##
     # Create collections of solr field configurations.
     # This will create array-like accessor methods for

data/lib/blacklight/parameters.rb

@@ -1,6 +1,11 @@
 # frozen_string_literal: true
+
+require 'hashdiff'
+
 module Blacklight
-  module Parameters
+  class Parameters
+    extend Deprecation
+
     ##
     # Sanitize the search parameters by removing unnecessary parameters
     # from the provided parameters.
@@ -9,5 +14,96 @@ module Blacklight
       params.reject { |_k, v| v.nil? }
             .except(:action, :controller, :id, :commit, :utf8)
     end
+
+    # rubocop:disable Naming/MethodParameterName
+    # Merge two Rails strong_params-style permissions into a single list of permitted parameters,
+    # deep-merging complex values as needed.
+    # @param [Array<Symbol, Hash>] a
+    # @param [Array<Symbol, Hash>] b
+    # @return [Array<Symbol, Hash>]
+    def self.deep_merge_permitted_params(a, b)
+      a = [a] if a.is_a? Hash
+      b = [b] if b.is_a? Hash
+
+      complex_params_from_a, scalar_params_from_a = a.flatten.uniq.partition { |x| x.is_a? Hash }
+      complex_params_from_a = complex_params_from_a.inject({}) { |tmp, h| _deep_merge_permitted_param_hashes(h, tmp) }
+      complex_params_from_b, scalar_params_from_b = b.flatten.uniq.partition { |x| x.is_a? Hash }
+      complex_params_from_b = complex_params_from_b.inject({}) { |tmp, h| _deep_merge_permitted_param_hashes(h, tmp) }
+
+      (scalar_params_from_a + scalar_params_from_b + [_deep_merge_permitted_param_hashes(complex_params_from_a, complex_params_from_b)]).reject(&:blank?).uniq
+    end
+
+    private_class_method def self._deep_merge_permitted_param_hashes(h1, h2)
+      h1.merge(h2) do |_key, old_value, new_value|
+        if (old_value.is_a?(Hash) && old_value.empty?) || (new_value.is_a?(Hash) && new_value.empty?)
+          {}
+        elsif old_value.is_a?(Hash) && new_value.is_a?(Hash)
+          _deep_merge_permitted_param_hashes(old_value, new_value)
+        elsif old_value.is_a?(Array) || new_value.is_a?(Array)
+          deep_merge_permitted_params(old_value, new_value)
+        else
+          new_value
+        end
+      end
+    end
+    # rubocop:enable Naming/MethodParameterName
+
+    attr_reader :params, :search_state
+
+    delegate :blacklight_config, :filter_fields, to: :search_state
+
+    def initialize(params, search_state)
+      @params = params.is_a?(Hash) ? params.with_indifferent_access : params
+      @search_state = search_state
+    end
+
+    # @param [Hash] params with unknown structure (not declared in the blacklight config or filters) stripped out
+    def permit_search_params
+      # if the parameters were generated internally, we can (probably) trust that they're fine
+      return params unless params.is_a?(ActionController::Parameters)
+
+      # if the parameters were permitted already, we should be able to trust them
+      return params if params.permitted?
+
+      permitted_params = filter_fields.inject(blacklight_config.search_state_fields) do |allowlist, filter|
+        Blacklight::Parameters.deep_merge_permitted_params(allowlist, filter.permitted_params)
+      end
+
+      deep_unmangle_params!(params, permitted_params)
+
+      if blacklight_config.filter_search_state_fields
+        params.permit(*permitted_params)
+      else
+        warn_about_deprecated_parameter_handling(params, permitted_params)
+        params.deep_dup.permit!
+      end
+    end
+
+    private
+
+    def warn_about_deprecated_parameter_handling(params, permitted_params)
+      diff = Hashdiff.diff(params.to_unsafe_h, params.permit(*permitted_params).to_h)
+      return if diff.empty?
+
+      Deprecation.warn(Blacklight::Parameters, "Blacklight 8 will filter out non-search parameter, including: #{diff.map { |_op, key, *| key }.to_sentence}")
+    end
+
+    # Facebook's crawler turns array query parameters into a hash with numeric keys. Once we know
+    # the expected parameter structure, we can unmangle those parameters to match our expected values.
+    def deep_unmangle_params!(params, permitted_params)
+      permitted_params.select { |p| p.is_a?(Hash) }.each do |permission|
+        permission.each do |key, permitted_value|
+          if params[key].is_a?(ActionController::Parameters) && permitted_value.is_a?(Hash)
+            deep_unmangle_params!(params[key], [permitted_value])
+          elsif permitted_value.is_a?(Array) && permitted_value.empty?
+            if params[key].is_a?(ActionController::Parameters) && params[key]&.keys&.all? { |k| k.to_s =~ /\A\d+\z/ }
+              params[key] = params[key].values
+            elsif params[key].is_a?(String)
+              params[key] = Array(params[key])
+            end
+          end
+        end
+      end
+    end
   end
 end

data/lib/blacklight/search_builder.rb

@@ -27,7 +27,8 @@ module Blacklight
       end
 
       @blacklight_params = {}
-      @search_state = Blacklight::SearchState.new(@blacklight_params, @scope&.blacklight_config, @scope)
+      search_state_class = @scope&.search_state_class || Blacklight::SearchState
+      @search_state = search_state_class.new(@blacklight_params, @scope&.blacklight_config, @scope)
       @additional_filters = {}
       @merged_params = {}
       @reverse_merged_params = {}
@@ -48,7 +49,7 @@ module Blacklight
       Deprecation.warn(Blacklight::SearchBuilder, "SearchBuilder#where must be called with a hash, received #{conditions.inspect}.") unless conditions.is_a? Hash
       params_will_change!
       @search_state = @search_state.reset(@search_state.params.merge(q: conditions))
-      @blacklight_params = @search_state.params.dup
+      @blacklight_params = @search_state.params
       @additional_filters = conditions
       self
     end

data/lib/blacklight/search_state/filter_field.rb

@@ -159,12 +159,18 @@ module Blacklight
         end
       end
 
-      def needs_normalization?(value_params)
-        value_params&.is_a?(Hash) && value_params != Blacklight::SearchState::FilterField::MISSING
-      end
-
-      def normalize(value_params)
-        needs_normalization?(value_params) ? value_params.values : value_params
+      def permitted_params
+        if config.pivot
+          {
+            filters_key => config.pivot.each_with_object({}) { |key, filter| filter.merge(key => [], "-#{key}" => []) },
+            inclusive_filters_key => config.pivot.each_with_object({}) { |key, filter| filter.merge(key => []) }
+          }
+        else
+          {
+            filters_key => { config.key => [], "-#{config.key}" => [] },
+            inclusive_filters_key => { config.key => [] }
+          }
+        end
       end
 
       private

data/lib/blacklight/search_state.rb

@@ -19,71 +19,17 @@ module Blacklight
 
     delegate :facet_configuration_for_field, to: :blacklight_config
 
-    def self.modifiable_params(params)
-      if params.respond_to?(:to_unsafe_h)
-        # This is the typical (not-ActionView::TestCase) code path.
-        params = params.to_unsafe_h
-        # In Rails 5 to_unsafe_h returns a HashWithIndifferentAccess, in Rails 4 it returns Hash
-        params = params.with_indifferent_access if params.instance_of? Hash
-      elsif params.is_a? Hash
-        # This is an ActionView::TestCase workaround for Rails 4.2.
-        params = params.dup.with_indifferent_access
-      else
-        params = params.dup.to_h.with_indifferent_access
-      end
-      params
-    end
-
     # @param [ActionController::Parameters] params
     # @param [Blacklight::Config] blacklight_config
     # @param [ApplicationController] controller used for the routing helpers
     def initialize(params, blacklight_config, controller = nil)
       @blacklight_config = blacklight_config
       @controller = controller
-      @params = SearchState.modifiable_params(params)
-      normalize_params! if needs_normalization?
-    end
-
-    def needs_normalization?
-      return false if params.blank?
-      return true if (params.keys.map(&:to_s) - permitted_fields.map(&:to_s)).present?
-
-      !!filters.detect { |filter| filter.values.detect { |value| filter.needs_normalization?(value) } }
-    end
-
-    def normalize_params!
-      @params = normalize_params
-    end
-
-    def normalize_params
-      return params unless needs_normalization?
-
-      base_params = params.slice(*blacklight_config.search_state_fields)
-      normal_state = blacklight_config.facet_fields.each_value.inject(reset(base_params)) do |working_state, filter_key|
-        f = filter(filter_key)
-        next working_state unless f.any?
-
-        filter_values = f.values(except: [:inclusive_filters]).inject([]) do |memo, filter_value|
-          # flatten arrays that had been mangled into integer-indexed hashes
-          memo.concat([f.normalize(filter_value)].flatten)
-        end
-        filter_values = f.values(except: [:filters, :missing]).inject(filter_values) do |memo, filter_value|
-          memo << f.normalize(filter_value)
-        end
-        filter_values.inject(working_state) do |memo, filter_value|
-          memo.filter(filter_key).add(filter_value)
-        end
-      end
-      normal_state.params
-    end
-
-    def permitted_fields
-      filter_keys = filter_fields.inject(Set.new) { |memo, filter| memo.merge [filter.filters_key, filter.inclusive_filters_key] }
-      blacklight_config.search_state_fields + filter_keys.subtract([nil, '']).to_a
+      @params = Blacklight::Parameters.new(params, self).permit_search_params.to_h.with_indifferent_access
     end
 
     def to_hash
-      @params.deep_dup
+      params.deep_dup
     end
     alias to_h to_hash
 
@@ -132,7 +78,7 @@ module Blacklight
 
     # @return [Blacklight::SearchState]
     def reset(params = nil)
-      self.class.new(params || ActionController::Parameters.new, blacklight_config, controller)
+      self.class.new(params || {}, blacklight_config, controller)
     end
 
     # @return [Blacklight::SearchState]
@@ -162,6 +108,10 @@ module Blacklight
       p
     end
 
+    def filter_fields
+      blacklight_config.facet_fields.each_value.map { |value| filter(value) }
+    end
+
     def filters
       @filters ||= filter_fields.select(&:any?)
     end
@@ -192,7 +142,7 @@ module Blacklight
     # catalog/index with their new facet choice.
     def add_facet_params_and_redirect(field, item)
       new_params = Deprecation.silence(self.class) do
-        add_facet_params(field, item)
+        add_facet_params(field, item).to_h.with_indifferent_access
       end
 
       # Delete any request params from facet-specific action, needed
@@ -229,7 +179,7 @@ module Blacklight
     # @yield [params] The merged parameters hash before being sanitized
     def params_for_search(params_to_merge = {})
       # params hash we'll return
-      my_params = params.dup.merge(self.class.new(params_to_merge, blacklight_config, controller))
+      my_params = to_h.merge(self.class.new(params_to_merge, blacklight_config, controller))
 
       if block_given?
         yield my_params
@@ -297,11 +247,7 @@ module Blacklight
     # and need to be reset when e.g. constraints change
     # @return [ActionController::Parameters]
     def reset_search_params
-      Parameters.sanitize(params).except(:page, :counter)
-    end
-
-    def filter_fields
-      blacklight_config.facet_fields.each_value.map { |value| filter(value) }
+      Parameters.sanitize(to_h).except(:page, :counter)
     end
   end
 end

data/spec/controllers/bookmarks_controller_spec.rb

@@ -24,7 +24,8 @@ RSpec.describe BookmarksController do
       allow(@controller).to receive_message_chain(:current_or_guest_user, :existing_bookmark_for).and_return(false)
       allow(@controller).to receive_message_chain(:current_or_guest_user, :persisted?).and_return(true)
       allow(@controller).to receive_message_chain(:current_or_guest_user, :bookmarks, :where, :exists?).and_return(false)
-      allow(@controller).to receive_message_chain(:current_or_guest_user, :bookmarks, :create).and_return(false)
+      allow(@controller).to receive_message_chain(:current_or_guest_user, :bookmarks, :create!).and_raise(ActiveRecord::RecordInvalid)
+      allow(@controller).to receive_message_chain(:current_or_guest_user, :errors, :full_messages).and_return([1])
       put :update, xhr: true, params: { id: 'iamabooboo', format: :js }
       expect(response.code).to eq "500"
     end

data/spec/helpers/blacklight/render_constraints_helper_behavior_spec.rb

@@ -27,7 +27,7 @@ RSpec.describe Blacklight::RenderConstraintsHelperBehavior do
     let(:params) { ActionController::Parameters.new(q: 'foobar', f: { type: 'journal' }) }
 
     it "has a link relative to the current url" do
-      expect(subject).to have_link 'Remove constraint', href: '/catalog?f%5Btype%5D=journal'
+      expect(subject).to have_link 'Remove constraint', href: '/catalog?f%5Btype%5D%5B%5D=journal'
     end
   end
 

data/spec/lib/blacklight/parameters_spec.rb

@@ -21,4 +21,91 @@ RSpec.describe Blacklight::Parameters do
       end
     end
   end
+
+  describe '.deep_merge_permitted_params' do
+    it 'merges scalar values' do
+      expect(described_class.deep_merge_permitted_params([:a], [:b])).to eq [:a, :b]
+    end
+
+    it 'appends complex values' do
+      expect(described_class.deep_merge_permitted_params([:a], { b: [] })).to eq [:a, { b: [] }]
+    end
+
+    it 'merges lists of scalar values' do
+      expect(described_class.deep_merge_permitted_params({ f: [:a, :b] }, { f: [:b, :c] })).to eq [{ f: [:a, :b, :c] }]
+    end
+
+    it 'merges complex value data structures' do
+      expect(described_class.deep_merge_permitted_params([{ f: { field1: [] } }], { f: { field2: [] } })).to eq [{ f: { field1: [], field2: [] } }]
+    end
+
+    it 'takes the most permissive value' do
+      expect(described_class.deep_merge_permitted_params([{ f: {} }], { f: { field2: [] } })).to eq [{ f: {} }]
+      expect(described_class.deep_merge_permitted_params([{ f: {} }], { f: [:some_value] })).to eq [{ f: {} }]
+    end
+  end
+
+  describe '#permit_search_params' do
+    subject(:params) { described_class.new(query_params, search_state) }
+
+    let(:query_params) { ActionController::Parameters.new(a: 1, b: 2, c: []) }
+    let(:search_state) { Blacklight::SearchState.new(query_params, blacklight_config) }
+    let(:blacklight_config) { Blacklight::Configuration.new }
+
+    context 'with facebooks badly mangled query parameters' do
+      let(:query_params) do
+        ActionController::Parameters.new(
+          f: { field: { '0': 'first', '1': 'second' } },
+          f_inclusive: { field: { '0': 'first', '1': 'second' } }
+        )
+      end
+
+      before do
+        blacklight_config.add_facet_field 'field'
+      end
+
+      it 'normalizes the facets to the expected format' do
+        expect(params.permit_search_params.to_h.with_indifferent_access).to include f: { field: %w[first second] }, f_inclusive: { field: %w[first second] }
+      end
+    end
+
+    context 'with filter_search_state_fields set to false' do
+      let(:blacklight_config) { Blacklight::Configuration.new(filter_search_state_fields: false) }
+
+      it 'allows all params, but warns about the behavior' do
+        allow(Deprecation).to receive(:warn)
+        expect(params.permit_search_params.to_h.with_indifferent_access).to include(a: 1, b: 2, c: [])
+
+        expect(Deprecation).to have_received(:warn).with(described_class, /including: a, b, and c/).at_least(:once)
+      end
+    end
+
+    context 'with filter_search_state_fields set to true' do
+      let(:blacklight_config) { Blacklight::Configuration.new(filter_search_state_fields: true) }
+
+      it 'rejects unknown params' do
+        expect(params.permit_search_params.to_h).to be_empty
+      end
+
+      context 'with some search parameters' do
+        let(:query_params) { ActionController::Parameters.new(q: 'abc', page: 5, f: { facet_field: %w[a b], unknown_field: ['a'] }) }
+
+        before do
+          blacklight_config.add_facet_field 'facet_field'
+        end
+
+        it 'allows scalar params' do
+          expect(params.permit_search_params.to_h.with_indifferent_access).to include(q: 'abc', page: 5)
+        end
+
+        it 'allows facet params' do
+          expect(params.permit_search_params.to_h.with_indifferent_access).to include(f: { facet_field: %w[a b] })
+        end
+
+        it 'removes unknown facet fields parameters' do
+          expect(params.permit_search_params.to_h.with_indifferent_access[:f]).not_to include(:unknown_field)
+        end
+      end
+    end
+  end
 end

data/spec/lib/blacklight/search_state/filter_field_spec.rb

@@ -6,6 +6,7 @@ RSpec.describe Blacklight::SearchState::FilterField do
   let(:params) { { f: { some_field: %w[1 2], another_field: ['3'] } } }
   let(:blacklight_config) do
     Blacklight::Configuration.new.configure do |config|
+      config.add_facet_field 'new_field'
       config.add_facet_field 'another_field', single: true
       simple_facet_fields.each { |simple_facet_field| config.add_facet_field simple_facet_field }
       config.search_state_fields = config.search_state_fields + additional_search_fields
@@ -23,14 +24,6 @@ RSpec.describe Blacklight::SearchState::FilterField do
       expect(new_state.filter('some_field').values).to eq %w[1 2 4]
     end
 
-    it 'creates new parameter as needed' do
-      filter = search_state.filter('unknown_field')
-      new_state = filter.add('4')
-
-      expect(new_state.filter('unknown_field').values).to eq %w[4]
-      expect(new_state.params[:f]).to include(:unknown_field)
-    end
-
     context 'without any parameters in the url' do
       let(:params) { {} }
 
@@ -205,10 +198,4 @@ RSpec.describe Blacklight::SearchState::FilterField do
       expect(search_state.filter('some_field').include?(OpenStruct.new(value: '1'))).to eq true
     end
   end
-
-  describe '#needs_normalization?' do
-    it 'returns false for Blacklight::SearchState::FilterField::MISSING' do
-      expect(search_state.filter('some_field').needs_normalization?(Blacklight::SearchState::FilterField::MISSING)).to be false
-    end
-  end
 end

data/spec/lib/blacklight/search_state_spec.rb

@@ -54,19 +54,6 @@ RSpec.describe Blacklight::SearchState do
       end
     end
 
-    context 'with facebooks badly mangled query parameters' do
-      let(:simple_facet_fields) { [:field] }
-      let(:params) do
-        { f: { field: { '0': 'first', '1': 'second' } },
-          f_inclusive: { field: { '0': 'first', '1': 'second' } } }
-      end
-
-      it 'normalizes the facets to the expected format' do
-        expect(search_state.to_h).to include f: { field: %w[first second] }
-        expect(search_state.to_h).to include f_inclusive: { field: %w[first second] }
-      end
-    end
-
     context 'deleting item from to_h' do
       let(:additional_search_fields) { [:q_1] }
       let(:params) { { q: 'foo', q_1: 'bar' } }
@@ -81,7 +68,7 @@ RSpec.describe Blacklight::SearchState do
     end
 
     context 'deleting deep item from to_h' do
-      let(:additional_search_fields) { [:foo] }
+      let(:additional_search_fields) { [{ foo: {} }] }
       let(:params) { { foo: { bar: [] } } }
 
       it 'does not mutate search_state to deep mutate search_state.to_h' do

data/spec/models/blacklight/search_builder_spec.rb

@@ -5,7 +5,7 @@ RSpec.describe Blacklight::SearchBuilder, api: true do
 
   let(:processor_chain) { [] }
   let(:blacklight_config) { Blacklight::Configuration.new }
-  let(:scope) { double blacklight_config: blacklight_config }
+  let(:scope) { double blacklight_config: blacklight_config, search_state_class: nil }
 
   context "with default processor chain" do
     subject { described_class.new scope }
@@ -15,6 +15,15 @@ RSpec.describe Blacklight::SearchBuilder, api: true do
     end
   end
 
+  context "with scope search_state_class" do
+    let(:state_class) { Class.new(Blacklight::SearchState) }
+    let(:scope) { double blacklight_config: blacklight_config, search_state_class: state_class }
+
+    it "uses the class-level default_processor_chain" do
+      expect(subject.search_state).to be_a state_class
+    end
+  end
+
   describe "#with" do
     it "sets the blacklight params" do
       params = {}

data/spec/models/blacklight/solr/search_builder_spec.rb

@@ -216,7 +216,9 @@ RSpec.describe Blacklight::Solr::SearchBuilderBehavior, api: true do
         expect(subject["spellcheck.q"]).to be_blank
 
         single_facet.each_value do |value|
-          expect(subject[:fq]).to include("{!term f=#{single_facet.keys[0]}}#{value}")
+          Array(value).each do |v|
+            expect(subject[:fq]).to include("{!term f=#{single_facet.keys[0]}}#{v}")
+          end
         end
       end
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: blacklight
 version: !ruby/object:Gem::Version
-  version: 7.25.1
+  version: 7.25.2
 platform: ruby
 authors:
 - Jonathan Rochkind
@@ -17,7 +17,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-05-05 00:00:00.000000000 Z
+date: 2022-05-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -137,6 +137,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.43'
+- !ruby/object:Gem::Dependency
+  name: hashdiff
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rsolr
   requirement: !ruby/object:Gem::Requirement