ransack 3.2.1 → 4.0.0

data/lib/ransack/visitor.rb

@@ -26,7 +26,14 @@ module Ransack
     end
 
     def visit_and(object)
-      raise "not implemented"
+      nodes = object.values.map { |o| accept(o) }.compact
+      return nil unless nodes.size > 0
+
+      if nodes.size > 1
+        Arel::Nodes::Grouping.new(Arel::Nodes::And.new(nodes))
+      else
+        nodes.first
+      end
     end
 
     def visit_or(object)
@@ -35,17 +42,46 @@ module Ransack
     end
 
     def quoted?(object)
-      raise "not implemented"
+      case object
+      when Arel::Nodes::SqlLiteral, Bignum, Fixnum
+        false
+      else
+        true
+      end
     end
 
     def visit(object)
       send(DISPATCH[object.class], object)
     end
 
+    def visit_Ransack_Nodes_Sort(object)
+      if object.valid?
+        if object.attr.is_a?(Arel::Attributes::Attribute)
+          object.attr.send(object.dir)
+        else
+          ordered(object)
+        end
+      else
+        scope_name = :"sort_by_#{object.name}_#{object.dir}"
+        scope_name if object.context.object.respond_to?(scope_name)
+      end
+    end
+
     DISPATCH = Hash.new do |hash, klass|
       hash[klass] = "visit_#{
         klass.name.gsub(Constants::TWO_COLONS, Constants::UNDERSCORE)
         }"
     end
+
+    private
+
+      def ordered(object)
+        case object.dir
+        when 'asc'.freeze
+          Arel::Nodes::Ascending.new(object.attr)
+        when 'desc'.freeze
+          Arel::Nodes::Descending.new(object.attr)
+        end
+      end
   end
 end

data/lib/ransack.rb

@@ -1,10 +1,7 @@
 require 'active_support/core_ext'
 require 'ransack/configuration'
-require 'ransack/adapters'
 require 'polyamorous/polyamorous'
 
-Ransack::Adapters.object_mapper.require_constants
-
 module Ransack
   extend Configuration
   class UntraversableAssociationError < StandardError; end
@@ -12,7 +9,7 @@ end
 
 Ransack.configure do |config|
   Ransack::Constants::AREL_PREDICATES.each do |name|
-    config.add_predicate name, :arel_predicate => name
+    config.add_predicate name, arel_predicate: name
   end
   Ransack::Constants::DERIVED_PREDICATES.each do |args|
     config.add_predicate(*args)
@@ -22,8 +19,8 @@ end
 require 'ransack/search'
 require 'ransack/ransacker'
 require 'ransack/translate'
-
-Ransack::Adapters.object_mapper.require_adapter
+require 'ransack/active_record'
+require 'ransack/context'
 
 ActiveSupport.on_load(:action_controller) do
   require 'ransack/helpers'

data/spec/ransack/adapters/active_record/base_spec.rb

@@ -657,6 +657,37 @@ module Ransack
             it { should_not include 'only_sort' }
             it { should include 'only_admin' }
           end
+
+          context 'when not defined in model, nor in ApplicationRecord' do
+            subject { Article.ransackable_attributes }
+
+            it "raises a helpful error" do
+              without_application_record_method(:ransackable_attributes) do
+                expect { subject }.to raise_error(RuntimeError, /Ransack needs Article attributes explicitly allowlisted/)
+              end
+            end
+          end
+
+          context 'when defined only in model by delegating to super' do
+            subject { Article.ransackable_attributes }
+
+            around do |example|
+              Article.singleton_class.define_method(:ransackable_attributes) do
+                super(nil) - super(nil)
+              end
+
+              example.run
+            ensure
+              Article.singleton_class.remove_method(:ransackable_attributes)
+            end
+
+            it "returns the allowlist in the model, and warns" do
+              without_application_record_method(:ransackable_attributes) do
+                expect { subject }.to output(/Ransack's builtin `ransackable_attributes` method is deprecated/).to_stderr
+                expect(subject).to be_empty
+              end
+            end
+          end
         end
 
         describe '#ransortable_attributes' do
@@ -689,6 +720,37 @@ module Ransack
           it { should include 'parent' }
           it { should include 'children' }
           it { should include 'articles' }
+
+          context 'when not defined in model, nor in ApplicationRecord' do
+            subject { Article.ransackable_associations }
+
+            it "raises a helpful error" do
+              without_application_record_method(:ransackable_associations) do
+                expect { subject }.to raise_error(RuntimeError, /Ransack needs Article associations explicitly allowlisted/)
+              end
+            end
+          end
+
+          context 'when defined only in model by delegating to super' do
+            subject { Article.ransackable_associations }
+
+            around do |example|
+              Article.singleton_class.define_method(:ransackable_associations) do
+                super(nil) - super(nil)
+              end
+
+              example.run
+            ensure
+              Article.singleton_class.remove_method(:ransackable_associations)
+            end
+
+            it "returns the allowlist in the model, and warns" do
+              without_application_record_method(:ransackable_associations) do
+                expect { subject }.to output(/Ransack's builtin `ransackable_associations` method is deprecated/).to_stderr
+                expect(subject).to be_empty
+              end
+            end
+          end
         end
 
         describe '#ransackable_scopes' do
@@ -704,6 +766,17 @@ module Ransack
         end
 
         private
+
+        def without_application_record_method(method)
+          ApplicationRecord.singleton_class.alias_method :"original_#{method}", :"#{method}"
+          ApplicationRecord.singleton_class.remove_method :"#{method}"
+
+          yield
+        ensure
+          ApplicationRecord.singleton_class.alias_method :"#{method}", :"original_#{method}"
+          ApplicationRecord.singleton_class.remove_method :"original_#{method}"
+        end
+
         def rails7_and_mysql
           ::ActiveRecord::VERSION::MAJOR >= 7 && ENV['DB'] == 'mysql'
         end

data/spec/ransack/configuration_spec.rb

@@ -20,7 +20,7 @@ module Ransack
       Ransack.configure do |config|
         config.add_predicate(
           :test_predicate_without_compound,
-          :compounds => false
+          compounds: false
           )
       end
       expect(Ransack.predicates)
@@ -138,8 +138,8 @@ module Ransack
       Ransack.configure do |config|
         config.add_predicate(
           :test_array_predicate,
-          :wants_array => true,
-          :compounds => true
+          wants_array: true,
+          compounds: true
           )
       end
 
@@ -153,11 +153,11 @@ module Ransack
         Ransack.configure do |config|
           config.add_predicate(
             :test_in_predicate,
-            :arel_predicate => 'in'
+            arel_predicate: 'in'
           )
           config.add_predicate(
             :test_not_in_predicate,
-            :arel_predicate => 'not_in'
+            arel_predicate: 'not_in'
           )
         end
 
@@ -171,13 +171,13 @@ module Ransack
         Ransack.configure do |config|
           config.add_predicate(
             :test_in_predicate_no_array,
-            :arel_predicate => 'in',
-            :wants_array => false
+            arel_predicate: 'in',
+            wants_array: false
           )
           config.add_predicate(
             :test_not_in_predicate_no_array,
-            :arel_predicate => 'not_in',
-            :wants_array => false
+            arel_predicate: 'not_in',
+            wants_array: false
           )
         end
 

data/spec/ransack/helpers/form_builder_spec.rb

@@ -26,7 +26,7 @@ module Ransack
       # @s.created_at_eq = date_values # This works in Rails 4.x but not 3.x
         @s.created_at_eq = [2011, 1, 2, 3, 4, 5] # so we have to do this
         html = @f.datetime_select(
-          :created_at_eq, :use_month_numbers => true, :include_seconds => true
+          :created_at_eq, use_month_numbers: true, include_seconds: true
           )
         date_values.each { |val| expect(html).to include date_select_html(val) }
       end
@@ -70,13 +70,13 @@ module Ransack
 
       describe '#sort_link' do
         it 'sort_link for ransack attribute' do
-          sort_link = @f.sort_link :name, :controller => 'people'
+          sort_link = @f.sort_link :name, controller: 'people'
           expect(sort_link).to match /people\?q(%5B|\[)s(%5D|\])=name\+asc/
           expect(sort_link).to match /sort_link/
           expect(sort_link).to match /Full Name<\/a>/
         end
         it 'sort_link for common attribute' do
-          sort_link = @f.sort_link :id, :controller => 'people'
+          sort_link = @f.sort_link :id, controller: 'people'
           expect(sort_link).to match /id<\/a>/
         end
       end
@@ -99,14 +99,14 @@ module Ransack
         it 'returns ransackable attributes for associations with :associations' do
           attributes = Person.ransackable_attributes +
             Article.ransackable_attributes.map { |a| "articles_#{a}" }
-          html = @f.attribute_select(:associations => ['articles'])
+          html = @f.attribute_select(associations: ['articles'])
           expect(html.split(/\n/).size).to eq(attributes.size)
           attributes.each do |attribute|
             expect(html).to match /<option value="#{attribute}">/
           end
         end
         it 'returns option groups for base and associations with :associations' do
-          html = @f.attribute_select(:associations => ['articles'])
+          html = @f.attribute_select(associations: ['articles'])
           [Person, Article].each do |model|
             expect(html).to match /<optgroup label="#{model}">/
           end
@@ -121,19 +121,19 @@ module Ransack
           end
         end
         it 'filters predicates with single-value :only' do
-          html = @f.predicate_select :only => 'eq'
+          html = @f.predicate_select only: 'eq'
           Predicate.names.reject { |k| k =~ /^eq/ }.each do |key|
             expect(html).not_to match /<option value="#{key}">/
           end
         end
         it 'filters predicates with multi-value :only' do
-          html = @f.predicate_select :only => [:eq, :lt]
+          html = @f.predicate_select only: [:eq, :lt]
           Predicate.names.reject { |k| k =~ /^(eq|lt)/ }.each do |key|
             expect(html).not_to match /<option value="#{key}">/
           end
         end
         it 'excludes compounds when compounds: false' do
-          html = @f.predicate_select :compounds => false
+          html = @f.predicate_select compounds: false
           Predicate.names.select { |k| k =~ /_(any|all)$/ }.each do |key|
             expect(html).not_to match /<option value="#{key}">/
           end

data/spec/ransack/helpers/form_helper_spec.rb

@@ -140,6 +140,32 @@ module Ransack
         }
       end
 
+      describe '#sort_link works even if search params are a string' do
+        before { @controller.view_context.params[:q] = 'input error' }
+        specify {
+          expect { @controller.view_context
+            .sort_link(
+              Person.ransack({}),
+              :name,
+              controller: 'people'
+            )
+          }.not_to raise_error
+        }
+      end
+
+      describe '#sort_url works even if search params are a string' do
+        before { @controller.view_context.params[:q] = 'input error' }
+        specify {
+          expect { @controller.view_context
+            .sort_url(
+              Person.ransack({}),
+              :name,
+              controller: 'people'
+            )
+          }.not_to raise_error
+        }
+      end
+
       describe '#sort_link with search_key defined as a string' do
         subject { @controller.view_context
           .sort_link(
@@ -474,7 +500,7 @@ module Ransack
           describe 'with symbol q:, #sort_link should include search params' do
             subject { @controller.view_context.sort_link(Person.ransack, :name) }
             let(:params) { ActionController::Parameters.new(
-              { :q => { name_eq: 'TEST' }, controller: 'people' }
+              { q: { name_eq: 'TEST' }, controller: 'people' }
               ) }
             before { @controller.instance_variable_set(:@params, params) }
 
@@ -489,7 +515,7 @@ module Ransack
           describe 'with symbol q:, #sort_url should include search params' do
             subject { @controller.view_context.sort_url(Person.ransack, :name) }
             let(:params) { ActionController::Parameters.new(
-              { :q => { name_eq: 'TEST' }, controller: 'people' }
+              { q: { name_eq: 'TEST' }, controller: 'people' }
               ) }
             before { @controller.instance_variable_set(:@params, params) }
 
@@ -782,6 +808,14 @@ module Ransack
         it { should_not match /href=".*foo/ }
       end
 
+      describe "#sort_link ignores host in params" do
+        before { @controller.view_context.params[:host] = 'other_domain' }
+        subject { @controller.view_context.sort_link(Person.ransack, :name, controller: 'people') }
+
+        it { should match /href="\/people\?q/ }
+        it { should_not match /href=".*other_domain/ }
+      end
+
       describe '#search_form_for with default format' do
         subject { @controller.view_context
           .search_form_for(Person.ransack) {} }

data/spec/ransack/nodes/condition_spec.rb

@@ -74,6 +74,30 @@ module Ransack
           specify { expect(subject).to be_nil }
         end
       end
+
+      context 'with an empty predicate' do
+        subject {
+          Condition.extract(
+            Context.for(Person), 'full_name', Person.first.name
+          )
+        }
+
+        context "when default_predicate = nil" do
+          before do
+            Ransack.configure { |c| c.default_predicate = nil }
+          end
+
+          specify { expect(subject).to be_nil }
+        end
+
+        context "when default_predicate = 'eq'" do
+          before do
+            Ransack.configure { |c| c.default_predicate = 'eq' }
+          end
+
+          specify { expect(subject).to eq Condition.extract(Context.for(Person), 'full_name_eq', Person.first.name) }
+        end
+      end
     end
   end
 end

data/spec/ransack/predicate_spec.rb

@@ -35,6 +35,13 @@ module Ransack
         @s.awesome_eq = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a = condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_eq = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} = #{val}/
+      end
     end
 
     describe 'lteq' do
@@ -56,6 +63,13 @@ module Ransack
         @s.salary_lteq = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a <= condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_lteq = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} <= #{val}/
+      end
     end
 
     describe 'lt' do
@@ -77,6 +91,13 @@ module Ransack
         @s.salary_lt = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a = condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_lt = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} < #{val}/
+      end
     end
 
     describe 'gteq' do
@@ -98,6 +119,13 @@ module Ransack
         @s.salary_gteq = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a >= condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_gteq = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} >= #{val}/
+      end
     end
 
     describe 'gt' do
@@ -119,6 +147,13 @@ module Ransack
         @s.salary_gt = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a > condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_gt = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} > #{val}/
+      end
     end
 
     describe 'cont' do
@@ -368,7 +403,7 @@ module Ransack
         expect(@s.result.to_sql).to match /#{field} IS NULL/
       end
 
-      describe 'with association qeury' do
+      describe 'with association query' do
         it 'generates a value IS NOT NULL query' do
           @s.comments_id_not_null = true
           sql = @s.result.to_sql

data/spec/ransack/translate_spec.rb

@@ -8,7 +8,7 @@ module Ransack
         ar_translation = ::Namespace::Article.human_attribute_name(:title)
         ransack_translation = Ransack::Translate.attribute(
           :title,
-          :context => ::Namespace::Article.ransack.context
+          context: ::Namespace::Article.ransack.context
           )
         expect(ransack_translation).to eq ar_translation
       end

data/spec/support/schema.rb

@@ -28,7 +28,24 @@ else
   )
 end
 
-class Person < ActiveRecord::Base
+# This is just a test app with no sensitive data, so we explicitly allowlist all
+# attributes and associations for search. In general, end users should
+# explicitly authorize each model, but this shows a way to configure the
+# unrestricted default behavior of versions prior to Ransack 4.
+#
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+
+  def self.ransackable_attributes(auth_object = nil)
+    authorizable_ransackable_attributes
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    authorizable_ransackable_associations
+  end
+end
+
+class Person < ApplicationRecord
   default_scope { order(id: :desc) }
   belongs_to :parent, class_name: 'Person', foreign_key: :parent_id
   has_many   :children, class_name: 'Person', foreign_key: :parent_id
@@ -111,9 +128,9 @@ class Person < ActiveRecord::Base
 
   def self.ransackable_attributes(auth_object = nil)
     if auth_object == :admin
-      super - ['only_sort']
+      authorizable_ransackable_attributes - ['only_sort']
     else
-      super - ['only_sort', 'only_admin']
+      authorizable_ransackable_attributes - ['only_sort', 'only_admin']
     end
   end
 
@@ -129,7 +146,7 @@ end
 class Musician < Person
 end
 
-class Article < ActiveRecord::Base
+class Article < ApplicationRecord
   belongs_to :person
   has_many :comments
   has_and_belongs_to_many :tags
@@ -182,7 +199,7 @@ end
 class StoryArticle < Article
 end
 
-class Recommendation < ActiveRecord::Base
+class Recommendation < ApplicationRecord
   belongs_to :person
   belongs_to :target_person, class_name: 'Person'
   belongs_to :article
@@ -200,22 +217,22 @@ module Namespace
   end
 end
 
-class Comment < ActiveRecord::Base
+class Comment < ApplicationRecord
   belongs_to :article
   belongs_to :person
 
   default_scope { where(disabled: false) }
 end
 
-class Tag < ActiveRecord::Base
+class Tag < ApplicationRecord
   has_and_belongs_to_many :articles
 end
 
-class Note < ActiveRecord::Base
+class Note < ApplicationRecord
   belongs_to :notable, polymorphic: true
 end
 
-class Account < ActiveRecord::Base
+class Account < ApplicationRecord
   belongs_to :agent_account, class_name: "Account"
   belongs_to :trade_account, class_name: "Account"
 end
@@ -308,7 +325,7 @@ module Schema
 end
 
 module SubDB
-  class Base < ActiveRecord::Base
+  class Base < ApplicationRecord
     self.abstract_class = true
     establish_connection(
       adapter: 'sqlite3',

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ransack
 version: !ruby/object:Gem::Version
-  version: 3.2.1
+  version: 4.0.0
 platform: ruby
 authors:
 - Ernie Miller
@@ -12,7 +12,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-25 00:00:00.000000000 Z
+date: 2023-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -69,6 +69,7 @@ extra_rdoc_files: []
 files:
 - ".github/FUNDING.yml"
 - ".github/SECURITY.md"
+- ".github/workflows/codeql.yml"
 - ".github/workflows/cronjob.yml"
 - ".github/workflows/deploy.yml"
 - ".github/workflows/rubocop.yml"
@@ -139,7 +140,6 @@ files:
 - docs/static/logo/ransack.png
 - docs/static/logo/ransack.svg
 - docs/yarn.lock
-- lib/polyamorous.rb
 - lib/polyamorous/activerecord_6.1_ruby_2/join_association.rb
 - lib/polyamorous/activerecord_6.1_ruby_2/join_dependency.rb
 - lib/polyamorous/activerecord_6.1_ruby_2/reflection.rb
@@ -154,15 +154,9 @@ files:
 - lib/polyamorous/swapping_reflection_class.rb
 - lib/polyamorous/tree_node.rb
 - lib/ransack.rb
-- lib/ransack/adapters.rb
-- lib/ransack/adapters/active_record.rb
+- lib/ransack/active_record.rb
 - lib/ransack/adapters/active_record/base.rb
 - lib/ransack/adapters/active_record/context.rb
-- lib/ransack/adapters/active_record/ransack/constants.rb
-- lib/ransack/adapters/active_record/ransack/context.rb
-- lib/ransack/adapters/active_record/ransack/nodes/condition.rb
-- lib/ransack/adapters/active_record/ransack/translate.rb
-- lib/ransack/adapters/active_record/ransack/visitor.rb
 - lib/ransack/configuration.rb
 - lib/ransack/constants.rb
 - lib/ransack/context.rb
@@ -196,7 +190,6 @@ files:
 - lib/ransack/locale/zh-CN.yml
 - lib/ransack/locale/zh-TW.yml
 - lib/ransack/naming.rb
-- lib/ransack/nodes.rb
 - lib/ransack/nodes/attribute.rb
 - lib/ransack/nodes/bindable.rb
 - lib/ransack/nodes/condition.rb
@@ -256,7 +249,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.14
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: Object-based searching for Active Record.

data/lib/polyamorous.rb

@@ -1 +0,0 @@
-require 'polyamorous/polyamorous'