pg_reports 0.5.0 → 0.5.1

data/app/views/pg_reports/dashboard/_show_scripts.html.erb

@@ -5,6 +5,7 @@
   const reportKey = '<%= @report_key %>';
   const railsEnv = '<%= Rails.env %>';
   const isDevelopment = railsEnv === 'development';
+  const allowRawQueryExecution = <%= PgReports.config.allow_raw_query_execution.to_s.downcase %>;
   let syncingScroll = false;
   let currentSort = { column: null, direction: 'asc' };
 
@@ -595,9 +596,10 @@
       // Only show EXPLAIN ANALYZE for SELECT queries
       const queryNormalized = row.query.trim().toLowerCase();
       if (queryNormalized.startsWith('select')) {
-        // Use data attribute to avoid escaping issues with special characters
+        // Use data attribute to pass query hash for security
         const queryBase64 = btoa(unescape(encodeURIComponent(row.query)));
-        html += `<button class="btn-explain" data-query-b64="${queryBase64}" onclick="event.stopPropagation(); runExplainAnalyzeFromButton(this)">📊 EXPLAIN ANALYZE</button>`;
+        const queryHash = row.query_hash || '';
+        html += `<button class="btn-explain" data-query-b64="${queryBase64}" data-query-hash="${queryHash}" onclick="event.stopPropagation(); runExplainAnalyzeFromButton(this)">📊 EXPLAIN ANALYZE</button>`;
       }
     }
 
@@ -1008,6 +1010,7 @@
   // ==========================================
 
   let currentExplainQuery = '';
+  let currentExplainQueryHash = '';
   let currentQueryParams = [];
 
   // Parse $1, $2, etc. from query
@@ -1023,19 +1026,22 @@
   // Decode base64 query from button and run analyzer
   function runExplainAnalyzeFromButton(btn) {
     const queryBase64 = btn.dataset.queryB64;
+    const queryHash = btn.dataset.queryHash;
+
     if (!queryBase64) return;
 
     try {
       const query = decodeURIComponent(escape(atob(queryBase64)));
-      runExplainAnalyze(query);
+      runExplainAnalyze(query, queryHash);
     } catch (e) {
       showToast('Failed to decode query', 'error');
     }
   }
 
   // Show query analyzer modal
-  function runExplainAnalyze(query) {
+  function runExplainAnalyze(query, queryHash = '') {
     currentExplainQuery = query;
+    currentExplainQueryHash = queryHash;
     currentQueryParams = parseQueryParams(query);
 
     const modal = document.getElementById('explain-modal');
@@ -1276,6 +1282,23 @@
   async function executeExplainAnalyze() {
     const loading = document.getElementById('explain-loading');
     const content = document.getElementById('explain-content');
+
+    // Security check
+    if (!allowRawQueryExecution) {
+      const message = '⚠️ EXPLAIN ANALYZE отключен. Включите в конфигурации: config.allow_raw_query_execution = true';
+      showToast(message, 'error');
+      content.innerHTML = `<div class="error-message">
+        <strong>⚠️ Query execution is disabled</strong><br><br>
+        To enable this feature, add to your configuration:<br>
+        <code style="display: block; margin-top: 0.5rem; padding: 0.5rem; background: rgba(0,0,0,0.2); border-radius: 4px;">
+PgReports.configure do |config|<br>
+&nbsp;&nbsp;config.allow_raw_query_execution = true<br>
+end
+        </code>
+      </div>`;
+      return;
+    }
+
     const params = getParamValues();
 
     loading.style.display = 'flex';
@@ -1288,7 +1311,7 @@
           'Content-Type': 'application/json',
           'X-CSRF-Token': document.querySelector('meta[name="csrf-token"]')?.content || ''
         },
-        body: JSON.stringify({ query: currentExplainQuery, params: params })
+        body: JSON.stringify({ query_hash: currentExplainQueryHash, params: params })
       });
 
       const data = await response.json();
@@ -1309,6 +1332,23 @@
   async function executeQuery() {
     const loading = document.getElementById('explain-loading');
     const content = document.getElementById('explain-content');
+
+    // Security check
+    if (!allowRawQueryExecution) {
+      const message = '⚠️ Выполнение запросов отключено. Включите в конфигурации: config.allow_raw_query_execution = true';
+      showToast(message, 'error');
+      content.innerHTML = `<div class="error-message">
+        <strong>⚠️ Query execution is disabled</strong><br><br>
+        To enable this feature, add to your configuration:<br>
+        <code style="display: block; margin-top: 0.5rem; padding: 0.5rem; background: rgba(0,0,0,0.2); border-radius: 4px;">
+PgReports.configure do |config|<br>
+&nbsp;&nbsp;config.allow_raw_query_execution = true<br>
+end
+        </code>
+      </div>`;
+      return;
+    }
+
     const params = getParamValues();
 
     loading.style.display = 'flex';
@@ -1321,7 +1361,7 @@
           'Content-Type': 'application/json',
           'X-CSRF-Token': document.querySelector('meta[name="csrf-token"]')?.content || ''
         },
-        body: JSON.stringify({ query: currentExplainQuery, params: params })
+        body: JSON.stringify({ query_hash: currentExplainQueryHash, params: params })
       });
 
       const data = await response.json();
@@ -1460,6 +1500,30 @@ end
   async function createMigrationFile() {
     if (!currentMigrationData) return;
 
+    // Security check
+    if (!allowRawQueryExecution) {
+      const message = '⚠️ Создание миграций отключено. Включите в конфигурации: config.allow_raw_query_execution = true';
+      showToast(message, 'error');
+
+      const modalBody = document.getElementById('migration-modal-body');
+      if (modalBody) {
+        const errorDiv = document.createElement('div');
+        errorDiv.className = 'error-message';
+        errorDiv.style.marginTop = '1rem';
+        errorDiv.innerHTML = `
+          <strong>⚠️ Migration creation is disabled</strong><br><br>
+          To enable this feature, add to your configuration:<br>
+          <code style="display: block; margin-top: 0.5rem; padding: 0.5rem; background: rgba(0,0,0,0.2); border-radius: 4px;">
+PgReports.configure do |config|<br>
+&nbsp;&nbsp;config.allow_raw_query_execution = true<br>
+end
+          </code>
+        `;
+        modalBody.appendChild(errorDiv);
+      }
+      return;
+    }
+
     try {
       const response = await fetch(`${pgReportsRoot}/create_migration`, {
         method: 'POST',

data/app/views/pg_reports/dashboard/index.html.erb

@@ -222,6 +222,9 @@ pg_stat_statements.track = all</pre>
       <button class="btn btn-small btn-danger" onclick="stopQueryMonitoring(this)" id="stop-monitor-btn" style="display: none;">
         ⏹ Stop Monitoring
       </button>
+      <button class="btn btn-small btn-secondary" onclick="loadQueryHistory(this)" id="load-history-btn">
+        📜 Load History (50)
+      </button>
       <div class="download-dropdown" id="monitor-download-dropdown" style="display: none;">
         <button class="btn btn-small btn-secondary" onclick="toggleMonitorDownloadMenu(event)">
           📥 Download
@@ -855,6 +858,9 @@ pg_stat_statements.track = all</pre>
   let liveMonitoringEnabled = true;
   let pollTimer = null;
   let previousMetrics = null;
+  let metricsAvailable = true;
+  let consecutiveErrors = 0;
+  const MAX_CONSECUTIVE_ERRORS = 3;
   const metricsHistory = {
     connections: [],
     tps: [],
@@ -867,8 +873,6 @@ pg_stat_statements.track = all</pre>
     const panel = document.getElementById('live-monitoring');
     if (!panel) return;
 
-    panel.style.display = 'block';
-
     const savedState = localStorage.getItem('pgReportsLiveMonitoring');
     if (savedState === 'disabled') {
       liveMonitoringEnabled = false;
@@ -876,11 +880,47 @@ pg_stat_statements.track = all</pre>
     }
 
     if (liveMonitoringEnabled) {
-      fetchLiveMetrics();
-      startPolling();
+      // First try to fetch metrics to see if they're available
+      fetchLiveMetrics().then(success => {
+        if (success) {
+          panel.style.display = 'block';
+          startPolling();
+        } else {
+          showMetricsUnavailableMessage();
+        }
+      });
+    } else {
+      panel.style.display = 'block';
     }
   }
 
+  function showMetricsUnavailableMessage() {
+    const panel = document.getElementById('live-monitoring');
+    if (!panel) return;
+
+    panel.style.display = 'block';
+    panel.innerHTML = `
+      <div class="live-monitoring-header">
+        <div class="live-monitoring-title">
+          <span class="badge-dot error"></span>
+          <span>Live Monitoring Unavailable</span>
+        </div>
+      </div>
+      <div style="padding: 2rem; text-align: center; color: var(--text-muted);">
+        <p style="margin-bottom: 1rem;">Unable to fetch database statistics.</p>
+        <p style="font-size: 0.875rem;">This may be due to:</p>
+        <ul style="list-style: none; padding: 0; margin: 1rem 0; font-size: 0.875rem;">
+          <li>• Insufficient database permissions</li>
+          <li>• Database statistics views not accessible</li>
+          <li>• Connection issues</li>
+        </ul>
+        <button class="btn btn-small btn-primary" onclick="location.reload()" style="margin-top: 1rem;">
+          Retry
+        </button>
+      </div>
+    `;
+  }
+
   function startPolling() {
     if (pollTimer) clearInterval(pollTimer);
     pollTimer = setInterval(fetchLiveMetrics, LIVE_CONFIG.pollInterval);
@@ -899,6 +939,9 @@ pg_stat_statements.track = all</pre>
     updateToggleUI();
 
     if (liveMonitoringEnabled) {
+      // Reset error counter when manually re-enabling
+      consecutiveErrors = 0;
+      metricsAvailable = true;
       fetchLiveMetrics();
       startPolling();
     } else {
@@ -924,11 +967,38 @@ pg_stat_statements.track = all</pre>
       const response = await fetch(`${pgReportsRoot}/live_metrics`);
       const data = await response.json();
 
-      if (data.success) {
+      if (data.success && data.available !== false) {
+        consecutiveErrors = 0;
+        metricsAvailable = true;
         updateMetricsDisplay(data.metrics);
+        return true;
+      } else {
+        consecutiveErrors++;
+        console.error('Metrics unavailable:', data.error);
+
+        // If we get too many consecutive errors, show error state
+        if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
+          metricsAvailable = false;
+          stopPolling();
+          showMetricsUnavailableMessage();
+        } else if (consecutiveErrors === 1) {
+          // Show toast on first error
+          showToast(data.error || 'Failed to fetch live metrics', 'error');
+        }
+        return false;
       }
     } catch (error) {
+      consecutiveErrors++;
       console.error('Failed to fetch live metrics:', error);
+
+      if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
+        metricsAvailable = false;
+        stopPolling();
+        showMetricsUnavailableMessage();
+      } else if (consecutiveErrors === 1) {
+        showToast('Network error: ' + error.message, 'error');
+      }
+      return false;
     }
   }
 
@@ -1095,9 +1165,8 @@ pg_stat_statements.track = all</pre>
         updateQueryMonitorUI(true);
         startQueryMonitorPolling();
       } else {
-        // Monitoring not active - load history from log file
+        // Monitoring not active
         queryMonitorEnabled = false;
-        await loadQueryHistory();
         updateQueryMonitorUI(false);
       }
     } catch (error) {
@@ -1107,33 +1176,28 @@ pg_stat_statements.track = all</pre>
     }
   }
 
-  async function loadQueryHistory() {
-    try {
-      const response = await fetch(
-        `${pgReportsRoot}/query_monitor/history?limit=${QUERY_MONITOR_CONFIG.maxQueries}`
-      );
-      const data = await response.json();
-
-      if (data.success && data.queries && data.queries.length > 0) {
-        renderQueryFeed(data.queries);
-      }
-    } catch (error) {
-      console.error('Failed to load query history:', error);
-    }
-  }
+  async function loadQueryHistory(button) {
+    button.disabled = true;
+    button.innerHTML = '<span class="spinner"></span> Loading...';
 
-  async function loadSessionFromLog(sessionId) {
     try {
       const response = await fetch(
-        `${pgReportsRoot}/query_monitor/history?session_id=${sessionId}&limit=${QUERY_MONITOR_CONFIG.maxQueries}`
+        `${pgReportsRoot}/query_monitor/history?limit=50`
       );
       const data = await response.json();
 
       if (data.success && data.queries && data.queries.length > 0) {
         renderQueryFeed(data.queries);
+        showToast(`Loaded ${data.queries.length} queries from history`);
+      } else {
+        showToast('No query history found', 'error');
       }
     } catch (error) {
-      console.error('Failed to load session from log:', error);
+      console.error('Failed to load query history:', error);
+      showToast('Failed to load history: ' + error.message, 'error');
+    } finally {
+      button.disabled = false;
+      button.innerHTML = '📜 Load History (50)';
     }
   }
 
@@ -1187,15 +1251,9 @@ pg_stat_statements.track = all</pre>
 
       if (data.success) {
         queryMonitorEnabled = false;
-        const stoppedSessionId = data.session_id || currentSessionId;
         currentSessionId = null;
         stopQueryMonitorPolling();
 
-        // Load complete session data from log file
-        if (stoppedSessionId) {
-          await loadSessionFromLog(stoppedSessionId);
-        }
-
         updateQueryMonitorUI(false);
         showToast(data.message);
       } else {
@@ -1215,6 +1273,7 @@ pg_stat_statements.track = all</pre>
     const indicator = document.getElementById('monitor-indicator');
     const startBtn = document.getElementById('start-monitor-btn');
     const stopBtn = document.getElementById('stop-monitor-btn');
+    const loadHistoryBtn = document.getElementById('load-history-btn');
     const sessionBadge = document.getElementById('session-badge');
     const sessionIdEl = document.getElementById('session-id');
     const downloadDropdown = document.getElementById('monitor-download-dropdown');
@@ -1228,6 +1287,7 @@ pg_stat_statements.track = all</pre>
       stopBtn.style.display = 'inline-block';
       stopBtn.disabled = false;
       stopBtn.innerHTML = '⏹ Stop Monitoring';
+      loadHistoryBtn.style.display = 'none';  // Hide when monitoring active
       sessionBadge.style.display = 'inline-block';
       sessionIdEl.textContent = currentSessionId ? currentSessionId.substring(0, 8) : '';
       downloadDropdown.style.display = 'inline-block';
@@ -1237,6 +1297,7 @@ pg_stat_statements.track = all</pre>
       startBtn.disabled = false;
       startBtn.innerHTML = '▶ Start Monitoring';
       stopBtn.style.display = 'none';
+      loadHistoryBtn.style.display = 'inline-block';  // Show when monitoring stopped
       sessionBadge.style.display = 'none';
 
       // Keep results visible after stopping, only hide download if no queries

data/lib/pg_reports/configuration.rb

@@ -38,6 +38,9 @@ module PgReports
     attr_accessor :query_monitor_max_queries    # Maximum number of queries to keep in buffer
     attr_accessor :query_monitor_backtrace_filter # Proc to filter backtrace lines
 
+    # Security settings
+    attr_accessor :allow_raw_query_execution    # Allow execute_query and explain_analyze from dashboard
+
     def initialize
       # Telegram
       @telegram_bot_token = ENV.fetch("PG_REPORTS_TELEGRAM_TOKEN", nil)
@@ -77,6 +80,11 @@ module PgReports
         # Exclude gem paths, framework paths
         !location.path.match?(%r{/(gems|ruby|railties)/})
       }
+
+      # Security
+      @allow_raw_query_execution = ActiveModel::Type::Boolean.new.cast(
+        ENV.fetch("PG_REPORTS_ALLOW_RAW_QUERY_EXECUTION", false)
+      )
     end
 
     def connection

data/lib/pg_reports/modules/system.rb

@@ -48,11 +48,17 @@ module PgReports
       # Live metrics for dashboard monitoring
       # @param long_query_threshold [Integer] Threshold in seconds for long queries
       # @return [Hash] Metrics data
+      # @raise [StandardError] If no data is returned
       def live_metrics(long_query_threshold: 60)
         data = executor.execute_from_file(:system, :live_metrics,
           long_query_threshold: long_query_threshold)
 
-        row = data.first || {}
+        row = data.first
+
+        # If no data returned, something is wrong with the query or permissions
+        if row.nil? || row.empty?
+          raise StandardError, "No statistics data returned. Check database permissions and pg_stat views."
+        end
 
         {
           connections: {

data/lib/pg_reports/query_monitor.rb

@@ -123,7 +123,7 @@ module PgReports
 
         queries
       rescue => e
-        Rails.logger.warn("PgReports: Failed to load queries from log: #{e.message}")
+        Rails.logger.warn("PgReports: Failed to load queries from log: #{e.message}") if defined?(Rails)
         []
       end
     end
@@ -188,33 +188,46 @@ module PgReports
     end
 
     def query_from_pg_reports?
-      # Check if query originates from pg_reports gem code (not tests)
+      # Check if query originates from pg_reports gem internal code
       locations = caller_locations(0, 30)
       return false unless locations
 
       locations.any? do |location|
         path = location.path
-        # Match gem paths: /gems/pg_reports-X.Y.Z/lib/ or local /lib/pg_reports/
-        # But exclude test paths: /spec/
+        # Exclude test paths
         next if path.include?("/spec/")
 
-        # Match both gem installation and local development lib paths
+        # Filter queries from pg_reports internal modules only:
+        # - Installed gem: /gems/pg_reports-X.Y.Z/lib/
+        # - Local gem: /pg_reports/lib/pg_reports/modules/
+        # - Dashboard controller: /pg_reports/app/controllers/pg_reports/
         path.match?(%r{/gems/pg_reports[-\d.]+/lib/}) ||
-          path.match?(%r{/lib/pg_reports/})
+          path.match?(%r{/pg_reports/lib/pg_reports/modules/}) ||
+          path.match?(%r{/pg_reports/app/controllers/pg_reports/dashboard_controller\.rb})
       end
     end
 
     def extract_source_location
-      filter_proc = PgReports.config.query_monitor_backtrace_filter
-
       # Get caller locations, skip first few frames (this file, active_support)
-      locations = caller_locations(5, 20)
+      # Increase limit to 50 to capture more of the stack
+      locations = caller_locations(5, 50)
 
       return nil unless locations
 
       # Find first application code location
+      # Look for paths that are NOT from gems/ruby/railties
       app_location = locations.find do |location|
-        filter_proc.call(location)
+        path = location.path
+
+        # Skip framework and gem paths
+        next if path.match?(%r{/(gems|ruby|railties)/})
+
+        # Skip pg_reports internal paths
+        next if path.match?(%r{/pg_reports/lib/pg_reports/})
+        next if path.match?(%r{/pg_reports/app/controllers/pg_reports/})
+
+        # This is likely application code
+        true
       end
 
       return nil unless app_location

data/lib/pg_reports/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PgReports
-  VERSION = "0.5.0"
+  VERSION = "0.5.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pg_reports
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - Eldar Avatov
@@ -276,7 +276,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.1
+rubygems_version: 4.0.4
 specification_version: 4
 summary: PostgreSQL analysis and reporting tool with Telegram integration
 test_files: []