blazer 2.5.0 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fad6bd2d76ea45a8ec72956177648848a6dede796354a01f27359b4cb7cfeedb
-  data.tar.gz: a8f81985d77b110c850d421ac86376bbf71cf5f2b318cfea496e8cedb1f1a108
+  metadata.gz: 8bdfc1e428f7e01bf9a06461a5f0143a6e940cd1e3d708ba2bd504132bbaa1db
+  data.tar.gz: 729e9a408e7f4fa5203ab4c133800e49087fccf634efcf7c9dd6ca80a610a861
 SHA512:
-  metadata.gz: 6fd612ec162dc5b6a23ef1f6b3580da0de7f1cec8788520557e8a25ef0bdf4337df775b0cacb4e292003e1a4565460c411a67951a5ea27048a994fb1178463d7
-  data.tar.gz: 4a5e760ca38fb96fa54df64469f3fd3223d6b23698da0491c43dc8bc3ef92f7f83b14bea028821ba5708adf209bc147975edaf6d4dc76ecb5916d51905e7f2f0
+  metadata.gz: e6c7a7be80246c1030170a5df95656947b2431cf908bb6d37d668cbe3f57006ef096d63186976c63c683f0e2511873cabb5d2be56e389de331487666ba297dc3
+  data.tar.gz: 9feb70216244f77d37357376cd68b9ec85a6d3eeb3c89f3e58196688e81618ca2ae38372e5491e0811bdd7d9e0082317a711040f5782cc54f5d9f99ec57d624a

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 2.6.0 (2022-04-20)
+
+- Fixed quoting issue with variables
+- Custom adapters now need to specify how to quote variables in queries
+- Added experimental support for Propshaft
+- Fixed error with empty results with InfluxDB
+
 ## 2.5.0 (2022-01-04)
 
 - Added support for Slack OAuth tokens

data/README.md

@@ -61,7 +61,7 @@ For production, specify your database:
 ENV["BLAZER_DATABASE_URL"] = "postgres://user:password@hostname:5432/database"
 ```
 
-Blazer tries to protect against queries which modify data (by running each query in a transaction and rolling it back), but a safer approach is to use a read-only user. [See how to create one](#permissions).
+When possible, Blazer tries to protect against queries which modify data by running each query in a transaction and rolling it back, but a safer approach is to use a read-only user. [See how to create one](#permissions).
 
 #### Checks (optional)
 
@@ -144,11 +144,9 @@ Be sure to render or redirect for unauthorized users.
 
 ## Permissions
 
-Blazer runs each query in a transaction and rolls it back to prevent queries from modifying data. As an additional line of defense, we recommend using a read only user.
-
 ### PostgreSQL
 
-Create a user with read only permissions:
+Create a user with read-only permissions:
 
 ```sql
 BEGIN;
@@ -162,7 +160,7 @@ COMMIT;
 
 ### MySQL
 
-Create a user with read only permissions:
+Create a user with read-only permissions:
 
 ```sql
 GRANT SELECT, SHOW VIEW ON database_name.* TO blazer@’127.0.0.1′ IDENTIFIED BY ‘secret123‘;
@@ -171,7 +169,7 @@ FLUSH PRIVILEGES;
 
 ### MongoDB
 
-Create a user with read only permissions:
+Create a user with read-only permissions:
 
 ```
 db.createUser({user: "blazer", pwd: "password", roles: ["read"]})
@@ -656,6 +654,8 @@ data_sources:
     url: redshift://user:password@hostname:5439/database
 ```
 
+Use a [read-only user](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html).
+
 ### Apache Drill
 
 Add [drill-sergeant](https://github.com/ankane/drill-sergeant) to your Gemfile and set:
@@ -667,6 +667,8 @@ data_sources:
     url: http://hostname:8047
 ```
 
+Use a [read-only user](https://drill.apache.org/docs/roles-and-privileges/).
+
 ### Apache Hive
 
 Add [hexspace](https://github.com/ankane/hexspace) to your Gemfile and set:
@@ -690,6 +692,8 @@ data_sources:
     url: ignite://user:password@hostname:10800
 ```
 
+Use a [read-only user](https://www.gridgain.com/docs/latest/administrators-guide/security/authorization-permissions) (requires a third-party plugin).
+
 ### Apache Spark
 
 Add [hexspace](https://github.com/ankane/hexspace) to your Gemfile and set:
@@ -713,6 +717,8 @@ data_sources:
     url: cassandra://user:password@hostname:9042/keyspace
 ```
 
+Use a [read-only role](https://docs.datastax.com/en/cql-oss/3.3/cql/cql_using/useSecurePermission.html).
+
 ### Druid
 
 Enable [SQL support](http://druid.io/docs/latest/querying/sql.html#configuration) on the broker and set:
@@ -724,6 +730,8 @@ data_sources:
     url: http://hostname:8082
 ```
 
+Use a [read-only role](https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html).
+
 ### Elasticsearch
 
 Add [elasticsearch](https://github.com/elastic/elasticsearch-ruby) to your Gemfile and set:
@@ -735,6 +743,8 @@ data_sources:
     url: http://user:password@hostname:9200
 ```
 
+Use a [read-only role](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html).
+
 ### Google BigQuery
 
 Add [google-cloud-bigquery](https://github.com/GoogleCloudPlatform/google-cloud-ruby/tree/master/google-cloud-bigquery) to your Gemfile and set:
@@ -757,6 +767,8 @@ data_sources:
     url: ibm-db://user:password@hostname:50000/database
 ```
 
+Use a [read-only user](https://www.ibm.com/support/pages/creating-read-only-database-permissions-user).
+
 ### InfluxDB
 
 Add [influxdb](https://github.com/influxdata/influxdb-ruby) to your Gemfile and set:
@@ -768,7 +780,7 @@ data_sources:
     url: http://user:password@hostname:8086/database
 ```
 
-Supports [InfluxQL](https://docs.influxdata.com/influxdb/v1.8/query_language/explore-data/)
+Use a [read-only user](https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/). Supports [InfluxQL](https://docs.influxdata.com/influxdb/v1.8/query_language/explore-data/).
 
 ### MongoDB
 
@@ -782,6 +794,8 @@ data_sources:
     url: mongodb://user:password@hostname:27017/database
 ```
 
+Use a [read-only user](#mongodb).
+
 ### MySQL
 
 Add [mysql2](https://github.com/brianmario/mysql2) to your Gemfile (if it’s not there) and set:
@@ -792,6 +806,8 @@ data_sources:
     url: mysql2://user:password@hostname:3306/database
 ```
 
+Use a [read-only user](#mysql).
+
 ### Neo4j
 
 Add [neo4j-core](https://github.com/neo4jrb/neo4j-core) to your Gemfile and set:
@@ -803,6 +819,8 @@ data_sources:
     url: http://user:password@hostname:7474
 ```
 
+Use a [read-only user](https://neo4j.com/docs/cypher-manual/current/access-control/manage-privileges/).
+
 ### OpenSearch
 
 Add [opensearch-ruby](https://github.com/opensearch-project/opensearch-ruby) to your Gemfile and set:
@@ -814,6 +832,8 @@ data_sources:
     url: http://user:password@hostname:9200
 ```
 
+Use a [read-only user](https://opensearch.org/docs/latest/security-plugin/access-control/permissions/).
+
 ### Oracle
 
 Add [activerecord-oracle_enhanced-adapter](https://github.com/rsim/oracle-enhanced) and [ruby-oci8](https://github.com/kubo/ruby-oci8) to your Gemfile and set:
@@ -824,6 +844,8 @@ data_sources:
     url: oracle-enhanced://user:password@hostname:1521/database
 ```
 
+Use a [read-only user](https://docs.oracle.com/cd/B19306_01/network.102/b14266/authoriz.htm).
+
 ### PostgreSQL
 
 Add [pg](https://github.com/ged/ruby-pg) to your Gemfile (if it’s not there) and set:
@@ -834,6 +856,8 @@ data_sources:
     url: postgres://user:password@hostname:5432/database
 ```
 
+Use a [read-only user](#postgresql).
+
 ### Presto
 
 Add [presto-client](https://github.com/treasure-data/presto-client-ruby) to your Gemfile and set:
@@ -844,6 +868,8 @@ data_sources:
     url: presto://user@hostname:8080/catalog
 ```
 
+Use a [read-only user](https://prestodb.io/docs/current/security/built-in-system-access-control.html).
+
 ### Salesforce
 
 Add [restforce](https://github.com/restforce/restforce) to your Gemfile and set:
@@ -865,7 +891,7 @@ SALESFORCE_CLIENT_SECRET="client secret"
 SALESFORCE_API_VERSION="41.0"
 ```
 
-Supports [SOQL](https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql.htm)
+Use a read-only user. Supports [SOQL](https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql.htm).
 
 ### Socrata Open Data API (SODA)
 
@@ -879,7 +905,7 @@ data_sources:
     app_token: ...
 ```
 
-Supports [SoQL](https://dev.socrata.com/docs/functions/)
+Supports [SoQL](https://dev.socrata.com/docs/functions/).
 
 ### Snowflake
 
@@ -913,6 +939,8 @@ data_sources:
     conn_str: Driver=/path/to/libSnowflake.so;uid=user;pwd=password;server=host.snowflakecomputing.com
 ```
 
+Use a [read-only role](https://docs.snowflake.com/en/user-guide/security-access-control-configure.html).
+
 ### SQLite
 
 Add [sqlite3](https://github.com/sparklemotion/sqlite3-ruby) to your Gemfile and set:
@@ -933,6 +961,8 @@ data_sources:
     url: sqlserver://user:password@hostname:1433/database
 ```
 
+Use a [read-only user](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions?view=sql-server-ver15).
+
 ## Creating an Adapter
 
 Create an adapter for any data store with:
@@ -1009,6 +1039,22 @@ override_csp: true
 
 ## Upgrading
 
+### 2.6
+
+Custom adapters now need to specify how to quote variables in queries (there is no longer a default)
+
+```ruby
+class FooAdapter < Blazer::Adapters::BaseAdapter
+  def quoting
+    :backslash_escape # single quote strings and convert ' to \' and \ to \\
+    # or
+    :single_quote_escape # single quote strings and convert ' to ''
+    # or
+    ->(value) { ... } # custom method
+  end
+end
+```
+
 ### 2.3
 
 To archive queries, create a migration

data/app/assets/stylesheets/blazer/application.css

@@ -1,4 +1,5 @@
 /*
+ *= require ./bootstrap-sprockets
  *= require ./bootstrap
  *= require ./selectize
  *= require ./github

data/app/assets/stylesheets/blazer/bootstrap-propshaft.css

@@ -0,0 +1,10 @@
+/*!
+ * Bootstrap v3.4.1 (https://getbootstrap.com/)
+ * Copyright 2011-2019 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ */
+@font-face {
+  font-family: "Glyphicons Halflings";
+  src: url('/blazer/glyphicons-halflings-regular.eot');
+  src: url('/blazer/glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'), url('/blazer/glyphicons-halflings-regular.woff2') format('woff2'), url('/blazer/glyphicons-halflings-regular.woff') format('woff'), url('/blazer/glyphicons-halflings-regular.ttf') format('truetype'), url('/blazer/glyphicons-halflings-regular.svg#glyphicons_halflingsregular') format('svg');
+}

data/app/assets/stylesheets/blazer/bootstrap-sprockets.css.erb

@@ -0,0 +1,10 @@
+/*!
+ * Bootstrap v3.4.1 (https://getbootstrap.com/)
+ * Copyright 2011-2019 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ */
+@font-face {
+  font-family: "Glyphicons Halflings";
+  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot") %>');
+  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot?#iefix") %>') format('embedded-opentype'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff2") %>') format('woff2'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff") %>') format('woff'), url('<%= font_path("blazer/glyphicons-halflings-regular.ttf") %>') format('truetype'), url('<%= font_path("blazer/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") %>') format('svg');
+}

data/app/assets/stylesheets/blazer/{bootstrap.css.erb → bootstrap.css}

@@ -263,11 +263,6 @@ th {
     border: 1px solid #ddd !important;
   }
 }
-@font-face {
-  font-family: "Glyphicons Halflings";
-  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot") %>');
-  src: url('<%= font_path("blazer/glyphicons-halflings-regular.eot?#iefix") %>') format('embedded-opentype'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff2") %>') format('woff2'), url('<%= font_path("blazer/glyphicons-halflings-regular.woff") %>') format('woff'), url('<%= font_path("blazer/glyphicons-halflings-regular.ttf") %>') format('truetype'), url('<%= font_path("blazer/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") %>') format('svg');
-}
 .glyphicon {
   position: relative;
   top: 1px;
@@ -6831,4 +6826,3 @@ button.close {
     display: none !important;
   }
 }
-/*# sourceMappingURL=bootstrap.css.map */

data/app/controllers/blazer/base_controller.rb

@@ -32,45 +32,34 @@ module Blazer
 
     private
 
-      def process_vars(statement, data_source)
-        (@bind_vars ||= []).concat(Blazer.extract_vars(statement)).uniq!
+      def process_vars(statement, var_params = nil)
+        var_params ||= request.query_parameters
+        (@bind_vars ||= []).concat(statement.variables).uniq!
+        # update in-place so populated in view and consistent across queries on dashboard
         @bind_vars.each do |var|
-          params[var] ||= Blazer.data_sources[data_source].variable_defaults[var]
-        end
-        @success = @bind_vars.all? { |v| params[v] }
-
-        if @success
-          @bind_vars.each do |var|
-            value = params[var].presence
-            if value
-              if ["start_time", "end_time"].include?(var)
-                value = value.to_s.gsub(" ", "+") # fix for Quip bug
-              end
-
-              if var.end_with?("_at")
-                begin
-                  value = Blazer.time_zone.parse(value)
-                rescue
-                  # do nothing
-                end
-              end
-
-              if value =~ /\A\d+\z/
-                value = value.to_i
-              elsif value =~ /\A\d+\.\d+\z/
-                value = value.to_f
-              end
-            end
-            value = Blazer.transform_variable.call(var, value) if Blazer.transform_variable
-            statement.gsub!("{#{var}}", ActiveRecord::Base.connection.quote(value))
+          if !var_params[var]
+            default = statement.data_source.variable_defaults[var]
+            # only add if default exists
+            var_params[var] = default if default
           end
         end
+        runnable = @bind_vars.all? { |v| var_params[v] }
+        statement.add_values(var_params) if runnable
+        runnable
+      end
+
+      def refresh_query(query)
+        statement = query.statement_object
+        runnable = process_vars(statement)
+        cohort_analysis_statement(statement) if statement.cohort_analysis?
+        statement.clear_cache if runnable
       end
 
       def add_cohort_analysis_vars
         @bind_vars << "cohort_period" unless @bind_vars.include?("cohort_period")
-        @smart_vars["cohort_period"] = ["day", "week", "month"]
-        params[:cohort_period] ||= "week"
+        @smart_vars["cohort_period"] = ["day", "week", "month"] if @smart_vars
+        # TODO create var_params method
+        request.query_parameters["cohort_period"] ||= "week"
       end
 
       def parse_smart_variables(var, data_source)
@@ -94,22 +83,33 @@ module Blazer
         [smart_var, error]
       end
 
-      # don't pass to url helpers
-      #
-      # some are dangerous when passed as symbols
-      # root_url({host: "evilsite.com"})
-      #
-      # certain ones (like host) only affect *_url and not *_path
-      #
-      # when permitted parameters are passed in Rails 6,
-      # they appear to be added as GET parameters
-      # root_url(params.permit(:host))
+      def cohort_analysis_statement(statement)
+        @cohort_period = params["cohort_period"] || "week"
+        @cohort_period = "week" unless ["day", "week", "month"].include?(@cohort_period)
+
+        # for now
+        @conversion_period = @cohort_period
+        @cohort_days =
+          case @cohort_period
+          when "day"
+            1
+          when "week"
+            7
+          when "month"
+            30
+          end
+
+        statement.apply_cohort_analysis(period: @cohort_period, days: @cohort_days)
+      end
+
+      # TODO allow all keys
+      # or show error message for disallowed keys
       UNPERMITTED_KEYS = [:controller, :action, :id, :host, :query, :dashboard, :query_id, :query_ids, :table_names, :authenticity_token, :utf8, :_method, :commit, :statement, :data_source, :name, :fork_query_id, :blazer, :run_id, :script_name, :original_script_name]
 
-      # remove unpermitted keys from both params and permitted keys for better sleep
-      def variable_params(resource)
+      def variable_params(resource, var_params = nil)
         permitted_keys = resource.variables - UNPERMITTED_KEYS.map(&:to_s)
-        params.except(*UNPERMITTED_KEYS).slice(*permitted_keys).permit!
+        var_params ||= request.query_parameters
+        var_params.slice(*permitted_keys)
       end
       helper_method :variable_params
 

data/app/controllers/blazer/dashboards_controller.rb

@@ -21,11 +21,8 @@ module Blazer
 
     def show
       @queries = @dashboard.dashboard_queries.order(:position).preload(:query).map(&:query)
-      @statements = []
       @queries.each do |query|
-        statement = query.statement.dup
-        process_vars(statement, query.data_source)
-        @statements << statement
+        @success = process_vars(query.statement_object)
       end
       @bind_vars ||= []
 
@@ -48,7 +45,7 @@ module Blazer
 
     def update
       if update_dashboard(@dashboard)
-        redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
+        redirect_to dashboard_path(@dashboard, params: variable_params(@dashboard))
       else
         render_errors @dashboard
       end
@@ -61,13 +58,9 @@ module Blazer
 
     def refresh
       @dashboard.queries.each do |query|
-        data_source = Blazer.data_sources[query.data_source]
-        statement = query.statement.dup
-        process_vars(statement, query.data_source)
-        Blazer.transform_statement.call(data_source, statement) if Blazer.transform_statement
-        data_source.clear_cache(statement)
+        refresh_query(query)
       end
-      redirect_to dashboard_path(@dashboard, variable_params(@dashboard))
+      redirect_to dashboard_path(@dashboard, params: variable_params(@dashboard))
     end
 
     private

data/app/controllers/blazer/queries_controller.rb

@@ -52,29 +52,26 @@ module Blazer
       @query.status = "active" if @query.respond_to?(:status)
 
       if @query.save
-        redirect_to query_path(@query, variable_params(@query))
+        redirect_to query_path(@query, params: variable_params(@query))
       else
         render_errors @query
       end
     end
 
     def show
-      @statement = @query.statement.dup
-      process_vars(@statement, @query.data_source)
+      @statement = @query.statement_object
+      @success = process_vars(@statement)
 
       @smart_vars = {}
       @sql_errors = []
-      data_source = Blazer.data_sources[@query.data_source]
       @bind_vars.each do |var|
-        smart_var, error = parse_smart_variables(var, data_source)
+        smart_var, error = parse_smart_variables(var, @statement.data_source)
         @smart_vars[var] = smart_var if smart_var
         @sql_errors << error if error
       end
 
       @query.update!(status: "active") if @query.respond_to?(:status) && @query.status.in?(["archived", nil])
 
-      Blazer.transform_statement.call(data_source, @statement) if Blazer.transform_statement
-
       add_cohort_analysis_vars if @query.cohort_analysis?
     end
 
@@ -82,17 +79,24 @@ module Blazer
     end
 
     def run
-      @statement = params[:statement]
-      # before process_vars
-      @cohort_analysis = Query.new(statement: @statement).cohort_analysis?
-      data_source = params[:data_source]
-      process_vars(@statement, data_source)
-      @only_chart = params[:only_chart]
-      @run_id = blazer_params[:run_id]
       @query = Query.find_by(id: params[:query_id]) if params[:query_id]
+
+      # use query data source when present
+      # need to update viewable? logic below if this changes
       data_source = @query.data_source if @query && @query.data_source
+      data_source ||= params[:data_source]
       @data_source = Blazer.data_sources[data_source]
 
+      @statement = Blazer::Statement.new(params[:statement], @data_source)
+      # before process_vars
+      @cohort_analysis = @statement.cohort_analysis?
+
+      # fallback for now for users with open tabs
+      @var_params = request.request_parameters["variables"] || request.request_parameters
+      @success = process_vars(@statement, @var_params)
+      @only_chart = params[:only_chart]
+      @run_id = blazer_params[:run_id]
+
       run_cohort_analysis if @cohort_analysis
 
       # ensure viewable
@@ -128,7 +132,7 @@ module Blazer
 
         options = {user: blazer_user, query: @query, refresh_cache: params[:check], run_id: @run_id, async: Blazer.async}
         if Blazer.async && request.format.symbol != :csv
-          Blazer::RunStatementJob.perform_later(@data_source.id, @statement, options)
+          Blazer::RunStatementJob.perform_later(@data_source.id, @statement.statement, options.merge(values: @statement.values))
           wait_start = Time.now
           loop do
             sleep(0.1)
@@ -136,7 +140,7 @@ module Blazer
             break if @result || Time.now - wait_start > 3
           end
         else
-          @result = Blazer::RunStatement.new.perform(@data_source, @statement, options)
+          @result = Blazer::RunStatement.new.perform(@statement, options)
         end
 
         if @result
@@ -166,13 +170,8 @@ module Blazer
     end
 
     def refresh
-      data_source = Blazer.data_sources[@query.data_source]
-      @statement = @query.statement.dup
-      process_vars(@statement, @query.data_source)
-      Blazer.transform_statement.call(data_source, @statement) if Blazer.transform_statement
-      @statement = cohort_analysis_statement(data_source, @statement) if @query.cohort_analysis?
-      data_source.clear_cache(@statement)
-      redirect_to query_path(@query, variable_params(@query))
+      refresh_query(@query)
+      redirect_to query_path(@query, params: variable_params(@query))
     end
 
     def update
@@ -185,7 +184,7 @@ module Blazer
         @query.errors.add(:base, "Sorry, permission denied")
       end
       if @query.errors.empty? && @query.update(query_params)
-        redirect_to query_path(@query, variable_params(@query))
+        redirect_to query_path(@query, params: variable_params(@query))
       else
         render_errors @query
       end
@@ -282,6 +281,9 @@ module Blazer
             render layout: false
           end
           format.csv do
+            # not ideal, but useful for testing
+            raise Error, @error if @error && Rails.env.test?
+
             send_data csv_data(@columns, @rows, @data_source), type: "text/csv; charset=utf-8; header=present", disposition: "attachment; filename=\"#{@query.try(:name).try(:parameterize).presence || 'query'}.csv\""
           end
         end
@@ -363,34 +365,12 @@ module Blazer
       end
 
       def run_cohort_analysis
-        unless @data_source.supports_cohort_analysis?
+        unless @statement.data_source.supports_cohort_analysis?
           @cohort_error = "This data source does not support cohort analysis"
         end
 
         @show_cohort_rows = !params[:query_id] || @cohort_error
-
-        unless @show_cohort_rows
-          @statement = cohort_analysis_statement(@data_source, @statement)
-        end
-      end
-
-      def cohort_analysis_statement(data_source, statement)
-        @cohort_period = params["cohort_period"] || "week"
-        @cohort_period = "week" unless ["day", "week", "month"].include?(@cohort_period)
-
-        # for now
-        @conversion_period = @cohort_period
-        @cohort_days =
-          case @cohort_period
-          when "day"
-            1
-          when "week"
-            7
-          when "month"
-            30
-          end
-
-        data_source.cohort_analysis_statement(statement, period: @cohort_period, days: @cohort_days)
+        cohort_analysis_statement(@statement) unless @show_cohort_rows
       end
 
       def render_cohort_analysis

data/app/models/blazer/query.rb

@@ -35,13 +35,19 @@ module Blazer
     end
 
     def variables
-      variables = Blazer.extract_vars(statement)
+      # don't require data_source to be loaded
+      variables = Statement.new(statement).variables
       variables += ["cohort_period"] if cohort_analysis?
       variables
     end
 
     def cohort_analysis?
-      /\/\*\s*cohort analysis\s*\*\//i.match?(statement)
+      # don't require data_source to be loaded
+      Statement.new(statement).cohort_analysis?
+    end
+
+    def statement_object
+      Statement.new(statement, data_source)
     end
   end
 end

data/app/views/blazer/_variables.html.erb

@@ -1,4 +1,5 @@
 <% if @bind_vars.any? %>
+  <% var_params = request.query_parameters %>
   <script>
     <%= blazer_js_var "timeZone", Blazer.time_zone.tzinfo.name %>
     var now = moment.tz(timeZone)
@@ -19,14 +20,14 @@
     <% @bind_vars.each_with_index do |var, i| %>
       <%= label_tag var, var %>
       <% if (data = @smart_vars[var]) %>
-        <%= select_tag var, options_for_select([[nil, nil]] + data, selected: params[var]), style: "margin-right: 20px; width: 200px; display: none;" %>
+        <%= select_tag var, options_for_select([[nil, nil]] + data, selected: var_params[var]), style: "margin-right: 20px; width: 200px; display: none;" %>
         <script>
           $("#<%= var %>").selectize({
             create: true
           });
         </script>
       <% elsif var.end_with?("_at") || var == "start_time" || var == "end_time" %>
-        <%= hidden_field_tag var, params[var] %>
+        <%= hidden_field_tag var, var_params[var] %>
 
         <div class="selectize-control single" style="width: 200px;">
           <div id="<%= var %>-select" class="selectize-input" style="display: inline-block;">
@@ -58,13 +59,13 @@
           })()
         </script>
       <% else %>
-        <%= text_field_tag var, params[var], style: "width: 120px; margin-right: 20px;", autofocus: i == 0 && !var.end_with?("_at") && !params[var], class: "form-control" %>
+        <%= text_field_tag var, var_params[var], style: "width: 120px; margin-right: 20px;", autofocus: i == 0 && !var.end_with?("_at") && !var_params[var], class: "form-control" %>
       <% end %>
     <% end %>
 
     <% if date_vars %>
       <% date_vars.each do |var| %>
-        <%= hidden_field_tag var, params[var] %>
+        <%= hidden_field_tag var, var_params[var] %>
       <% end %>
 
       <%= label_tag nil, date_vars.join(" & ") %>

data/app/views/blazer/dashboards/_form.html.erb

@@ -1,4 +1,4 @@
-<%= form_for @dashboard, url: (@dashboard.persisted? ? dashboard_path(@dashboard, variable_params(@dashboard)) : dashboards_path(variable_params(@dashboard))), html: {id: "app", class: "small-form"} do |f| %>
+<%= form_for @dashboard, url: (@dashboard.persisted? ? dashboard_path(@dashboard, params: variable_params(@dashboard)) : dashboards_path(params: variable_params(@dashboard))), html: {id: "app", class: "small-form"} do |f| %>
   <% if @dashboard.errors.any? %>
     <div class="alert alert-danger"><%= @dashboard.errors.full_messages.first %></div>
   <% end %>