paper_trail 4.0.1 → 4.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 047fe27b3f2154c19030502f4d129dcdd2873146
-  data.tar.gz: 6b6f268b260b459e0e6df8340ec9d33cb5c07824
+  metadata.gz: 8a92875e074ba53155be9597997716e75f2dfa33
+  data.tar.gz: b87bb9cad5f094f61957c287e4a27db3cff0d5d1
 SHA512:
-  metadata.gz: 49c10975deb4b0f20617b4b770a1f6b99d2980df4072dd71da1dc48c7da85e409c6eeadcbfcc74f86f239b320e7ae73f6d7d2f72971439a39330d6f353b9f33e
-  data.tar.gz: 3ecddc1755c7d139e04716582bbe136163605eb33354acaf7e520bc0178dfe7c9d184c8f673f4bb744440c4e7113a58017c6de4fca9262ff99575bee764d804d
+  metadata.gz: f5e16e1229742e460df8c0d1c6315a8207653f756b5df16d88b82e17ae07530260a0dab228afc894aeb3dcc765a7aa15f2b1b46f9366364abbba1bcb12ed61f5
+  data.tar.gz: e5a3ad55b824efa44f70924a47e840ccc16733308298d66eb1de4ba07010eff61ba1ad6a54c50288c18b60d92462d94d025bbd1d14bf4f496349c1a39e43ea89

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 4.0.2
+
+### Breaking Changes
+
+- None
+
+### Added
+
+- None
+
+### Fixed
+
+- [#696](https://github.com/airblade/paper_trail/issues/696) /
+  [#697](https://github.com/airblade/paper_trail/pull/697)
+  Bind JSON query parameters in `where_object` and `where_object_changes`.
+
 ## 4.0.1
 
 ### Breaking Changes

data/README.md

@@ -70,7 +70,7 @@ has been destroyed.
 
 1. Add PaperTrail to your `Gemfile`.
 
-    `gem 'paper_trail', '~> 4.0.1'`
+    `gem 'paper_trail', '~> 4.0.2'`
 
 2. Generate a migration which will add a `versions` table to your database.
 
@@ -93,7 +93,7 @@ setting up your app with PaperTrail will look something like this:
 
 1. Add PaperTrail to your `Gemfile`.
 
-    `gem 'paper_trail', '~> 4.0.1'`
+    `gem 'paper_trail', '~> 4.0.2'`
 
 2. Generate a migration to add a `versions` table to your database.
 

data/gemfiles/3.0.gemfile

@@ -23,16 +23,24 @@ group :development, :test do
   # To do proper transactional testing with ActiveSupport::TestCase on MySQL
   gem 'database_cleaner', '~> 1.2.0'
 
-  # Allow time travel in testing. timecop is only supported after 1.9.2 but does a better cleanup at 'return'
   if RUBY_VERSION < "1.9.2"
     gem 'delorean'
+
+    # rack-cache 1.3 drops ruby 1.8.7 support
+    gem 'rack-cache', '1.2'
   else
+    # timecop is only supported after 1.9.2 but does a better cleanup at 'return'
     gem 'timecop'
   end
 
-  platforms :ruby do 
+  platforms :ruby do
     gem 'sqlite3', '~> 1.2'
-    gem 'mysql2', '~> 0.3'
+
+    # We would prefer to only constrain mysql2 to '~> 0.3',
+    # but a rails bug (https://github.com/rails/rails/issues/21544)
+    # requires us to constrain to '~> 0.3.20' for now.
+    gem 'mysql2', '~> 0.3.20'
+
     gem 'pg', '~> 0.17.1'
   end
 
@@ -42,7 +50,7 @@ group :development, :test do
     gem 'shoulda-matchers', '~> 1.5'
   end
 
-  platforms :jruby do 
+  platforms :jruby do
     # Use jRuby's sqlite3 adapter for jRuby
     gem 'activerecord-jdbcsqlite3-adapter', '~> 1.3'
     gem 'activerecord-jdbcpostgresql-adapter', '~> 1.3'

data/lib/paper_trail/version_concern.rb

@@ -89,23 +89,23 @@ module PaperTrail
         raise ArgumentError, 'expected to receive a Hash' unless args.is_a?(Hash)
 
         if columns_hash['object'].type == :jsonb
-          where_conditions = "object @> '#{args.to_json}'::jsonb"
+          where("object @> ?", args.to_json)
         elsif columns_hash['object'].type == :json
-          where_conditions = args.map do |field, value|
-            "object->>'#{field}' = '#{value}'"
+          predicates = []
+          values = []
+          args.each do |field, value|
+            predicates.push "object->>? = ?"
+            values.concat([field, value.to_s])
           end
-          where_conditions = where_conditions.join(" AND ")
+          sql = predicates.join(" and ")
+          where(sql, *values)
         else
           arel_field = arel_table[:object]
-
-          where_conditions = args.map do |field, value|
+          where_conditions = args.map { |field, value|
             PaperTrail.serializer.where_object_condition(arel_field, field, value)
-          end.reduce do |condition1, condition2|
-            condition1.and(condition2)
-          end
+          }.reduce { |a, e| a.and(e) }
+          where(where_conditions)
         end
-
-        where(where_conditions)
       end
 
       def where_object_changes(args = {})
@@ -113,23 +113,25 @@ module PaperTrail
 
         if columns_hash['object_changes'].type == :jsonb
           args.each { |field, value| args[field] = [value] }
-          where_conditions = "object_changes @> '#{args.to_json}'::jsonb"
+          where("object_changes @> ?", args.to_json)
         elsif columns_hash['object'].type == :json
-          where_conditions = args.map do |field, value|
-            "((object_changes->>'#{field}' ILIKE '[#{value.to_json},%') OR (object_changes->>'#{field}' ILIKE '[%,#{value.to_json}]%'))"
+          predicates = []
+          values = []
+          args.each do |field, value|
+            predicates.push(
+              "((object_changes->>? ILIKE ?) OR (object_changes->>? ILIKE ?))"
+            )
+            values.concat([field, "[#{value.to_json},%", field, "[%,#{value.to_json}]%"])
           end
-          where_conditions = where_conditions.join(" AND ")
+          sql = predicates.join(" and ")
+          where(sql, *values)
         else
           arel_field = arel_table[:object_changes]
-
-          where_conditions = args.map do |field, value|
+          where_conditions = args.map { |field, value|
             PaperTrail.serializer.where_object_changes_condition(arel_field, field, value)
-          end.reduce do |condition1, condition2|
-            condition1.and(condition2)
-          end
+          }.reduce { |a, e| a.and(e) }
+          where(where_conditions)
         end
-
-        where(where_conditions)
       end
 
       def primary_key_is_int?

data/lib/paper_trail/version_number.rb

@@ -2,7 +2,7 @@ module PaperTrail
   module VERSION
     MAJOR = 4
     MINOR = 0
-    TINY  = 1
+    TINY  = 2
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/paper_trail.gemspec

@@ -34,17 +34,25 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'generator_spec'
   s.add_development_dependency 'database_cleaner', '~> 1.2'
 
-  # Allow time travel in testing. timecop is only supported after 1.9.2 but does a better cleanup at 'return'
   if RUBY_VERSION < "1.9.2"
     s.add_development_dependency 'delorean'
+
+    # rack-cache 1.3 drops ruby 1.8.7 support
+    s.add_development_dependency 'rack-cache', '1.2'
   else
+    # timecop is only supported after 1.9.2 but does a better cleanup at 'return'
     s.add_development_dependency 'timecop'
   end
 
   # JRuby support for the test ENV
   unless defined?(JRUBY_VERSION)
     s.add_development_dependency 'sqlite3', '~> 1.2'
-    s.add_development_dependency 'mysql2', '~> 0.3'
+
+    # We would prefer to only constrain mysql2 to '~> 0.3',
+    # but a rails bug (https://github.com/rails/rails/issues/21544)
+    # requires us to constrain to '~> 0.3.20' for now.
+    s.add_development_dependency 'mysql2', '~> 0.3.20'
+
     s.add_development_dependency 'pg', '~> 0.17'
   else
     s.add_development_dependency 'activerecord-jdbcsqlite3-adapter', '~> 1.3'

data/spec/models/json_version_spec.rb

@@ -13,6 +13,16 @@ if JsonVersion.table_exists?
         describe '#where_object' do
           it { expect(JsonVersion).to respond_to(:where_object) }
 
+          it "escapes values" do
+            f = Fruit.create(:name => 'Bobby')
+            expect(
+              f.
+                versions.
+                where_object(:name => "Robert'; DROP TABLE Students;--").
+                count
+            ).to eq(0)
+          end
+
           context "invalid arguments" do
             it "should raise an error" do
               expect { JsonVersion.where_object(:foo) }.to raise_error(ArgumentError)
@@ -42,6 +52,16 @@ if JsonVersion.table_exists?
         describe '#where_object_changes' do
           it { expect(JsonVersion).to respond_to(:where_object_changes) }
 
+          it "escapes values" do
+            f = Fruit.create(:name => 'Bobby')
+            expect(
+              f.
+                versions.
+                where_object_changes(:name => "Robert'; DROP TABLE Students;--").
+                count
+            ).to eq(0)
+          end
+
           context "invalid arguments" do
             it "should raise an error" do
               expect { JsonVersion.where_object_changes(:foo) }.to raise_error(ArgumentError)

data/test/unit/model_test.rb

@@ -442,7 +442,7 @@ class HasPaperTrailModelTest < ActiveSupport::TestCase
     end
 
     should 'handle decimals' do
-      assert_in_delta 2.71828, @previous.a_decimal, 0.00001
+      assert_in_delta 2.7183, @previous.a_decimal, 0.0001
     end
 
     should 'handle datetimes' do
@@ -484,7 +484,7 @@ class HasPaperTrailModelTest < ActiveSupport::TestCase
         assert_equal    'The quick brown fox',       @last.reify.a_text
         assert_equal    42,                          @last.reify.an_integer
         assert_in_delta 153.01,                      @last.reify.a_float,   0.001
-        assert_in_delta 2.71828,                     @last.reify.a_decimal, 0.00001
+        assert_in_delta 2.7183,                      @last.reify.a_decimal, 0.0001
         assert_equal    @date_time.to_time.utc.to_i, @last.reify.a_datetime.to_time.utc.to_i
         assert_equal    @time.utc.to_i,              @last.reify.a_time.utc.to_i
         assert_equal    @date,                       @last.reify.a_date

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: paper_trail
 version: !ruby/object:Gem::Version
-  version: 4.0.1
+  version: 4.0.2
 platform: ruby
 authors:
 - Andy Stewart
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-14 00:00:00.000000000 Z
+date: 2016-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -231,14 +231,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
+        version: 0.3.20
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.3'
+        version: 0.3.20
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement