rails-contact 0.1.11 → 0.1.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50cd2c0740daf7405d8085d2956f810cf0bf8883388ff12afb72ee07a6497b6c
-  data.tar.gz: 64db2836ff0701a348e215ea294dae2cef1326ef3fb633a4a69676c4b5e477ef
+  metadata.gz: a91f250f66bfd11f808193354a723ffb15cf9d8fefc5a52052bb11c7c7ca54e5
+  data.tar.gz: 18871d517ce8e9a9fca74e1e74ff775d0eab9ca7208d84397f390754f1a6c280
 SHA512:
-  metadata.gz: 6b8653a3e39f49d9d6aa1bb04463df1f4b5b10ac31d759af6b5bb465b8b2b4ecfbf9a83ee8cbf60a70296d805b5df91e942031ea85f0d530075d00e18bb5a4bc
-  data.tar.gz: e42099d4322b591d5ae7646560afda7178e5ce1674512efab58ef172d34fe74b99b46583553e6cad43ff2a47c96cf95efe34bdd9d2e68958fc77a3a164585812
+  metadata.gz: 510ec523c32aedbfb1f867f990f06626e07a99a6170fbad9e96ef70cca883a34a097961cd92a4f335737fa77a103d611158e35ccf1a28069daba6e5ced1c4d49
+  data.tar.gz: 8ebc2b2e8a8b28df33bce4f265e4750fa7282ebc37f1208204e1ad8f23b25a178d8b6bb335bc1c3d2f458d6a7d586feba392efa75e60612484c3b0205f9d8d14

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 0.1.14
+
+- Contacts index filters: **`region` and `csv_import_id` are now multi-select**. `filter_params` permits `region: []` / `csv_import_id: []`, strips the hidden blank a `<select multiple>` submits, and coerces a legacy scalar (`?region=Europe`) to a one-element array. The database backend matches `metadata->>'csv_import_id' IN (...)` across the selected imports (a single id behaves exactly as before); `region` was already array-safe via `where(region_name:)`.
+- Database backend: **search query is now sanitized internally** — LIKE metacharacters (`% _ \`) are escaped and input is capped at 200 chars, so a user typing `%` can no longer widen the match to every row. Host apps no longer need to wrap `search` to be safe.
+
+## 0.1.12
+
+- `_google_sync_panel`: render the card whenever `google_sync_ui_on_index`; if `google_sync_enabled` is false, show short instructions instead of hiding the section entirely.
+
 ## 0.1.11
 
 - Default **Google sync panel** back on the engine index via `_google_sync_panel` when `google_sync_enabled` and `google_sync_ui_on_index` (default true). Host apps can override the partial or disable with `google_sync_ui_on_index = false`.

data/app/controllers/rails/contact/contacts_controller.rb

@@ -127,7 +127,37 @@ module Rails
       end
 
       def filter_params
-        params.permit(:city, :region, :sync_eligible, :starred)
+        permitted = params.permit(
+          :city,
+          :sync_eligible,
+          :starred,
+          :travel_date_start,
+          :travel_date_end,
+          :contact_created_at_start,
+          :contact_created_at_end,
+          region: [],
+          csv_import_id: []
+        )
+
+        normalize_multi_select!(permitted, :region)
+        normalize_multi_select!(permitted, :csv_import_id)
+        permitted
+      end
+
+      # region and csv_import_id are multi-select filters: a <select multiple>
+      # submits param[] (an array) plus a hidden param[]="" that Rails always
+      # sends, so the blank must be stripped — otherwise IN ('', 'x') matches
+      # every blank-valued row. Legacy bookmarks may still send a scalar
+      # (?region=Europe); coerce those to a one-element array so the search
+      # backend only ever sees an array (or no key at all).
+      def normalize_multi_select!(permitted, key)
+        if permitted[key].blank? && params[key].is_a?(String) && params[key].present?
+          permitted[key] = [ params[key] ]
+        end
+        return unless permitted[key].is_a?(Array)
+
+        permitted[key] = permitted[key].reject(&:blank?)
+        permitted.delete(key) if permitted[key].empty?
       end
 
       def google_pending_sync_count

data/app/views/rails/contact/_google_sync_panel.html.erb

@@ -1,27 +1,35 @@
-<% if Rails::Contact.configuration.google_sync_enabled && Rails::Contact.configuration.google_sync_ui_on_index %>
+<% if Rails::Contact.configuration.google_sync_ui_on_index %>
   <div class="rounded-xl border border-gray-200 bg-white p-4 shadow-sm space-y-4">
     <h2 class="text-sm font-semibold text-gray-900">Google Contacts</h2>
 
-    <div>
-      <%= form_with url: google_sync_rolling_window_contacts_path, method: :post, local: true, class: "flex flex-wrap items-center gap-3" do %>
-        <%= submit_tag "Re-sync recent contacts with Google",
-              class: "inline-flex rounded-md bg-emerald-600 px-4 py-2 text-sm font-semibold text-white hover:bg-emerald-700",
-              data: { confirm: "Queue Google sync for the recent contact window? This updates contacts already in Google and creates any that are missing. Runs in the background." } %>
-      <% end %>
-      <p class="mt-2 text-xs text-gray-500">
-        Pushes the most recently updated contacts (up to your configured limit) to Google—new rows and changes to names, emails, phones, etc.
-      </p>
-    </div>
-
-    <% if @google_contacts_pending_sync.to_i.positive? %>
-      <div class="border-t border-gray-100 pt-4">
-        <%= form_with url: google_sync_unsynced_contacts_path, method: :post, local: true, class: "flex flex-wrap items-center gap-3" do %>
-          <%= submit_tag "Sync #{@google_contacts_pending_sync} contact#{'s' if @google_contacts_pending_sync != 1} with no Google link yet (any age)",
-                class: "inline-flex rounded-md border border-emerald-700 bg-white px-4 py-2 text-sm font-semibold text-emerald-800 hover:bg-emerald-50",
-                data: { confirm: "Queue Google sync for #{@google_contacts_pending_sync} contact(s) that are not linked yet? This runs in the background." } %>
+    <% if Rails::Contact.configuration.google_sync_enabled %>
+      <div>
+        <%= form_with url: google_sync_rolling_window_contacts_path, method: :post, local: true, class: "flex flex-wrap items-center gap-3" do %>
+          <%= submit_tag "Re-sync recent contacts with Google",
+                class: "inline-flex rounded-md bg-emerald-600 px-4 py-2 text-sm font-semibold text-white hover:bg-emerald-700",
+                data: { confirm: "Queue Google sync for the recent contact window? This updates contacts already in Google and creates any that are missing. Runs in the background." } %>
         <% end %>
-        <p class="mt-2 text-xs text-gray-500">For contacts outside the recent window or older imports that never received a Google <code class="rounded bg-gray-100 px-1">resourceName</code>.</p>
+        <p class="mt-2 text-xs text-gray-500">
+          Pushes the most recently updated contacts (up to your configured limit) to Google—new rows and changes to names, emails, phones, etc.
+        </p>
       </div>
+
+      <% if @google_contacts_pending_sync.to_i.positive? %>
+        <div class="border-t border-gray-100 pt-4">
+          <%= form_with url: google_sync_unsynced_contacts_path, method: :post, local: true, class: "flex flex-wrap items-center gap-3" do %>
+            <%= submit_tag "Sync #{@google_contacts_pending_sync} contact#{'s' if @google_contacts_pending_sync != 1} with no Google link yet (any age)",
+                  class: "inline-flex rounded-md border border-emerald-700 bg-white px-4 py-2 text-sm font-semibold text-emerald-800 hover:bg-emerald-50",
+                  data: { confirm: "Queue Google sync for #{@google_contacts_pending_sync} contact(s) that are not linked yet? This runs in the background." } %>
+          <% end %>
+          <p class="mt-2 text-xs text-gray-500">For contacts outside the recent window or older imports that never received a Google <code class="rounded bg-gray-100 px-1">resourceName</code>.</p>
+        </div>
+      <% end %>
+    <% else %>
+      <p class="text-sm text-gray-600">
+        Google sync is turned off. Set environment variable
+        <code class="rounded bg-gray-100 px-1">RAILS_CONTACT_GOOGLE_SYNC_ENABLED=true</code>
+        (and OAuth client + token path in <code class="rounded bg-gray-100 px-1">rails_contact</code> initializer), then restart the server.
+      </p>
     <% end %>
   </div>
 <% end %>

data/app/views/rails/contact/index.html.erb

@@ -19,6 +19,22 @@
         <%= f.label :region, "Interested Region", class: "mb-1 block text-sm font-medium text-gray-700" %>
         <%= f.text_field :region, value: params[:region], class: "w-full rounded-md border border-gray-300 px-3 py-2 text-sm" %>
       </div>
+      <div>
+        <%= f.label :travel_date_start, "Travel Start", class: "mb-1 block text-sm font-medium text-gray-700" %>
+        <%= f.date_field :travel_date_start, value: params[:travel_date_start], class: "w-full rounded-md border border-gray-300 px-3 py-2 text-sm" %>
+      </div>
+      <div>
+        <%= f.label :travel_date_end, "Travel End", class: "mb-1 block text-sm font-medium text-gray-700" %>
+        <%= f.date_field :travel_date_end, value: params[:travel_date_end], class: "w-full rounded-md border border-gray-300 px-3 py-2 text-sm" %>
+      </div>
+      <div>
+        <%= f.label :contact_created_at_start, "Created Start", class: "mb-1 block text-sm font-medium text-gray-700" %>
+        <%= f.date_field :contact_created_at_start, value: params[:contact_created_at_start], class: "w-full rounded-md border border-gray-300 px-3 py-2 text-sm" %>
+      </div>
+      <div>
+        <%= f.label :contact_created_at_end, "Created End", class: "mb-1 block text-sm font-medium text-gray-700" %>
+        <%= f.date_field :contact_created_at_end, value: params[:contact_created_at_end], class: "w-full rounded-md border border-gray-300 px-3 py-2 text-sm" %>
+      </div>
       <div class="flex gap-2">
         <%= f.submit "Filter", class: "inline-flex rounded-md bg-gray-900 px-4 py-2 text-sm font-medium text-white hover:bg-gray-700" %>
         <%= link_to "Reset", contacts_path, class: "inline-flex rounded-md border border-gray-300 px-4 py-2 text-sm font-medium text-gray-700 hover:bg-gray-50" %>

data/lib/generators/rails/contact/templates/create_rails_contact_contacts.rb.tt

@@ -22,5 +22,8 @@ class CreateRailsContactContacts < ActiveRecord::Migration[7.1]
     add_index :rails_contact_contacts, :updated_at
     add_index :rails_contact_contacts, :sync_eligible
     add_index :rails_contact_contacts, :google_resource_name, unique: true
+    add_index :rails_contact_contacts, "(metadata->>'travel_date')", name: 'idx_contacts_travel_date'
+    add_index :rails_contact_contacts, "(metadata->>'contact_created_at')", name: 'idx_contacts_contact_created_at'
+    add_index :rails_contact_contacts, "(metadata->>'csv_import_id')", name: 'idx_contacts_csv_import_id'
   end
 end

data/lib/rails/contact/search/backends/database.rb

@@ -3,7 +3,12 @@ module Rails
     module Search
       module Backends
         class Database
+          # Cap user input so the LIKE pattern stays bounded; 200 chars covers
+          # any realistic name/email/phone substring.
+          MAX_QUERY_LENGTH = 200
+
           def search(query, filters, page:, per_page:)
+            query = sanitize_query(query)
             offset = (page - 1) * per_page
             scope = Contact.includes(:emails, :phones, :labels).recent_first
             scope = apply_filters(scope, filters)
@@ -33,6 +38,16 @@ module Rails
 
           private
 
+          # Escape LIKE metacharacters (% _ \) so a user typing "%" can't widen
+          # the match to every row, and cap length to keep the pattern bounded.
+          # The backend builds raw "%…%" LIKE patterns, so this guard belongs
+          # here — host apps should not have to wrap search() to stay safe.
+          def sanitize_query(query)
+            return query if query.blank?
+
+            ActiveRecord::Base.sanitize_sql_like(query.to_s[0, MAX_QUERY_LENGTH])
+          end
+
           def apply_filters(scope, filters)
             scoped = scope
             scoped = scoped.where(current_city: filters["city"]) if filters["city"].present?
@@ -41,6 +56,32 @@ module Rails
             if filters["sync_eligible"].present?
               scoped = scoped.where(sync_eligible: ActiveModel::Type::Boolean.new.cast(filters["sync_eligible"]))
             end
+
+            if filters["travel_date_start"].present?
+              scoped = scoped.where("metadata->>'travel_date' >= ?", filters["travel_date_start"])
+            end
+
+            if filters["travel_date_end"].present?
+              scoped = scoped.where("metadata->>'travel_date' <= ?", filters["travel_date_end"])
+            end
+
+            if filters["contact_created_at_start"].present?
+              scoped = scoped.where("metadata->>'contact_created_at' >= ?", filters["contact_created_at_start"])
+            end
+
+            if filters["contact_created_at_end"].present?
+              scoped = scoped.where("metadata->>'contact_created_at' <= ?", filters["contact_created_at_end"])
+            end
+
+            # csv_import_id is a multi-select filter: it may be a single id or an
+            # array of ids. region above is already array-safe via where(region_name:),
+            # but this JSON-extraction predicate needs an explicit IN. A single id
+            # yields IN ('5'), identical to the old = '5'.
+            if filters["csv_import_id"].present?
+              ids = Array(filters["csv_import_id"]).map(&:to_s).reject(&:blank?)
+              scoped = scoped.where("metadata->>'csv_import_id' IN (?)", ids) if ids.any?
+            end
+
             scoped
           end
         end

data/lib/rails/contact/search/backends/elasticsearch.rb

@@ -120,8 +120,8 @@ module Rails
 
           def filter_clauses(filters)
             clauses = []
-            clauses << { term: { current_city: filters["city"] } } if filters["city"].present?
-            clauses << { term: { region_name: filters["region"] } } if filters["region"].present?
+            clauses << match_clause(:current_city, filters["city"]) if filters["city"].present?
+            clauses << match_clause(:region_name, filters["region"]) if filters["region"].present?
             unless filters["starred"].nil?
               starred_value = ActiveModel::Type::Boolean.new.cast(filters["starred"])
               clauses << { term: { starred: starred_value } }
@@ -133,6 +133,12 @@ module Rails
             clauses
           end
 
+          # city and region are multi-select filters: an array uses a `terms`
+          # clause (match any), a single value keeps the scalar `term` clause.
+          def match_clause(field, value)
+            value.is_a?(Array) ? { terms: { field => value } } : { term: { field => value } }
+          end
+
           def document_for(contact)
             {
               id: contact.id,

data/lib/rails/contact/version.rb

@@ -1,5 +1,5 @@
 module Rails
   module Contact
-    VERSION = "0.1.11"
+    VERSION = "0.1.14"
   end
 end

data/lib/tasks/rails/contact_tasks.rake

@@ -19,5 +19,4 @@ namespace :rails_contact do
     Rails::Contact::GoogleSyncJob.perform_now
     puts "Google sync completed"
   end
-
 end

data/spec/controllers/contacts_controller_spec.rb

@@ -4,10 +4,28 @@ RSpec.describe Rails::Contact::ContactsController do
   let(:controller) { described_class.new }
 
   describe "private filter params" do
-    it "permits city/region/sync_eligible keys" do
+    it "permits city/sync_eligible and coerces a scalar region to an array" do
       controller.params = ActionController::Parameters.new(city: "Delhi", region: "Europe", sync_eligible: "true", x: "1")
       permitted = controller.send(:filter_params)
-      expect(permitted.to_h).to eq({ "city" => "Delhi", "region" => "Europe", "sync_eligible" => "true" })
+      expect(permitted.to_h).to eq({ "city" => "Delhi", "region" => [ "Europe" ], "sync_eligible" => "true" })
+    end
+
+    it "permits multi-select region[] and csv_import_id[] arrays" do
+      controller.params = ActionController::Parameters.new(region: [ "Europe", "Asia" ], csv_import_id: [ "5", "7" ])
+      permitted = controller.send(:filter_params)
+      expect(permitted.to_h).to eq({ "region" => [ "Europe", "Asia" ], "csv_import_id" => [ "5", "7" ] })
+    end
+
+    it "strips the hidden blank a <select multiple> submits" do
+      controller.params = ActionController::Parameters.new(csv_import_id: [ "", "7" ])
+      permitted = controller.send(:filter_params)
+      expect(permitted.to_h).to eq({ "csv_import_id" => [ "7" ] })
+    end
+
+    it "drops a multi-select key entirely when only blanks are submitted" do
+      controller.params = ActionController::Parameters.new(region: [ "" ])
+      permitted = controller.send(:filter_params)
+      expect(permitted.to_h).to eq({})
     end
   end
 

data/spec/search/database_backend_spec.rb

@@ -0,0 +1,49 @@
+require "rails_helper"
+
+RSpec.describe Rails::Contact::Search::Backends::Database do
+  # metadata is a text column read back through JSON.parse, so store JSON for
+  # the SQL `metadata->>'csv_import_id'` extraction to resolve.
+  def make(name, import_id)
+    create(:rails_contact_contact, given_name: name, metadata: { "csv_import_id" => import_id }.to_json)
+  end
+
+  let!(:alice) { make("Alice", "imp_1") }
+  let!(:bob)   { make("Bob", "imp_2") }
+  let!(:carol) { make("Carol", "imp_3") }
+
+  def records(filters)
+    described_class.new.search("", filters, page: 1, per_page: 25).records
+  end
+
+  describe "csv_import_id filter (multi-select)" do
+    it "matches contacts across every selected import (array -> IN)" do
+      expect(records("csv_import_id" => [ "imp_1", "imp_2" ])).to match_array([ alice, bob ])
+    end
+
+    it "matches a single import exactly as before (scalar)" do
+      expect(records("csv_import_id" => "imp_1")).to match_array([ alice ])
+    end
+
+    it "applies no constraint when the selection is blank only" do
+      expect(records("csv_import_id" => [ "" ])).to match_array([ alice, bob, carol ])
+    end
+  end
+
+  describe "query sanitization" do
+    def search_for(query)
+      described_class.new.search(query, {}, page: 1, per_page: 25).records
+    end
+
+    it "treats % as a literal, not a match-everything wildcard" do
+      expect(search_for("%")).to be_empty
+    end
+
+    it "still matches a real substring" do
+      expect(search_for("Ali")).to include(alice)
+    end
+
+    it "does not blow up on pathologically long input" do
+      expect { search_for("a" * 1000) }.not_to raise_error
+    end
+  end
+end

data/spec/search/elasticsearch_backend_spec.rb

@@ -0,0 +1,33 @@
+require "rails_helper"
+
+RSpec.describe Rails::Contact::Search::Backends::Elasticsearch do
+  # Captures the query body so we can assert filter-clause shape without a real
+  # Elasticsearch server. Returns an empty hit set so #search resolves cleanly.
+  let(:captured) { {} }
+  let(:client) do
+    cap = captured
+    Class.new do
+      define_method(:initialize) { cap }
+      define_method(:search) do |index:, body:|
+        cap[:index] = index
+        cap[:body]  = body
+        { "hits" => { "total" => { "value" => 0 }, "hits" => [] } }
+      end
+    end.new
+  end
+
+  def filter_clauses(filters)
+    described_class.new(client: client).search("", filters, page: 1, per_page: 25)
+    captured[:body][:query][:bool][:filter]
+  end
+
+  it "emits a terms clause for a multi-select region array" do
+    expect(filter_clauses("region" => [ "Europe", "Asia" ]))
+      .to include({ terms: { region_name: [ "Europe", "Asia" ] } })
+  end
+
+  it "emits a scalar term clause for a single city" do
+    expect(filter_clauses("city" => "Delhi"))
+      .to include({ term: { current_city: "Delhi" } })
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-contact
 version: !ruby/object:Gem::Version
-  version: 0.1.11
+  version: 0.1.14
 platform: ruby
 authors:
 - Kshitiz Sinha
@@ -193,6 +193,8 @@ files:
 - spec/helpers/application_helper_spec.rb
 - spec/models/contact_spec.rb
 - spec/rails_helper.rb
+- spec/search/database_backend_spec.rb
+- spec/search/elasticsearch_backend_spec.rb
 - spec/services/merge_contacts_service_spec.rb
 - spec/spec_helper.rb
 - spec/views/contact_templates_spec.rb