ransack 3.2.1 → 4.1.1

data/lib/ransack/translate.rb

@@ -66,7 +66,7 @@ module Ransack
             [:"ransack.associations.#{i18n_key(context.klass)}.#{key}"]
           end
         defaults << context.traverse(key).model_name.human
-        options = { :count => 1, :default => defaults }
+        options = { count: 1, default: defaults }
         I18n.translate(defaults.shift, **options)
       end
 
@@ -149,7 +149,7 @@ module Ransack
       end
 
       def i18n_key(klass)
-        raise "not implemented"
+        klass.model_name.i18n_key
       end
     end
   end

data/lib/ransack/version.rb

@@ -1,3 +1,3 @@
 module Ransack
-  VERSION = '3.2.1'
+  VERSION = '4.1.1'
 end

data/lib/ransack/visitor.rb

@@ -26,7 +26,14 @@ module Ransack
     end
 
     def visit_and(object)
-      raise "not implemented"
+      nodes = object.values.map { |o| accept(o) }.compact
+      return nil unless nodes.size > 0
+
+      if nodes.size > 1
+        Arel::Nodes::Grouping.new(Arel::Nodes::And.new(nodes))
+      else
+        nodes.first
+      end
     end
 
     def visit_or(object)
@@ -35,17 +42,46 @@ module Ransack
     end
 
     def quoted?(object)
-      raise "not implemented"
+      case object
+      when Arel::Nodes::SqlLiteral, Bignum, Fixnum
+        false
+      else
+        true
+      end
     end
 
     def visit(object)
       send(DISPATCH[object.class], object)
     end
 
+    def visit_Ransack_Nodes_Sort(object)
+      if object.valid?
+        if object.attr.is_a?(Arel::Attributes::Attribute)
+          object.attr.send(object.dir)
+        else
+          ordered(object)
+        end
+      else
+        scope_name = :"sort_by_#{object.name}_#{object.dir}"
+        scope_name if object.context.object.respond_to?(scope_name)
+      end
+    end
+
     DISPATCH = Hash.new do |hash, klass|
       hash[klass] = "visit_#{
         klass.name.gsub(Constants::TWO_COLONS, Constants::UNDERSCORE)
         }"
     end
+
+    private
+
+      def ordered(object)
+        case object.dir
+        when 'asc'.freeze
+          Arel::Nodes::Ascending.new(object.attr)
+        when 'desc'.freeze
+          Arel::Nodes::Descending.new(object.attr)
+        end
+      end
   end
 end

data/lib/ransack.rb

@@ -1,10 +1,7 @@
 require 'active_support/core_ext'
 require 'ransack/configuration'
-require 'ransack/adapters'
 require 'polyamorous/polyamorous'
 
-Ransack::Adapters.object_mapper.require_constants
-
 module Ransack
   extend Configuration
   class UntraversableAssociationError < StandardError; end
@@ -12,7 +9,7 @@ end
 
 Ransack.configure do |config|
   Ransack::Constants::AREL_PREDICATES.each do |name|
-    config.add_predicate name, :arel_predicate => name
+    config.add_predicate name, arel_predicate: name
   end
   Ransack::Constants::DERIVED_PREDICATES.each do |args|
     config.add_predicate(*args)
@@ -22,8 +19,8 @@ end
 require 'ransack/search'
 require 'ransack/ransacker'
 require 'ransack/translate'
-
-Ransack::Adapters.object_mapper.require_adapter
+require 'ransack/active_record'
+require 'ransack/context'
 
 ActiveSupport.on_load(:action_controller) do
   require 'ransack/helpers'

data/ransack.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |s|
   s.homepage    = "https://github.com/activerecord-hackery/ransack"
   s.summary     = %q{Object-based searching for Active Record.}
   s.description = %q{Ransack is the successor to the MetaSearch gem. It improves and expands upon MetaSearch's functionality, but does not have a 100%-compatible API.}
-  s.required_ruby_version = '>= 2.7'
+  s.required_ruby_version = '>= 3.0'
   s.license     = 'MIT'
 
   s.add_dependency 'activerecord', '>= 6.1.5'

data/spec/ransack/adapters/active_record/base_spec.rb

@@ -141,6 +141,22 @@ module Ransack
           end
         end
 
+        context 'has_one through associations' do
+          let(:address)  { Address.create!(city: 'Boston') }
+          let(:org) { Organization.create!(name: 'Testorg', address: address) }
+          let!(:employee) { Employee.create!(name: 'Ernie', organization: org) }
+
+          it 'works when has_one through association is first' do
+            s = Employee.ransack(address_city_eq: 'Boston', organization_name_eq: 'Testorg')
+            expect(s.result.to_a).to include(employee)
+          end
+
+          it 'works when has_one through association is last' do
+            s = Employee.ransack(organization_name_eq: 'Testorg', address_city_eq: 'Boston')
+            expect(s.result.to_a).to include(employee)
+          end
+        end
+
         context 'negative conditions on HABTM associations' do
           let(:medieval) { Tag.create!(name: 'Medieval') }
           let(:fantasy)  { Tag.create!(name: 'Fantasy') }
@@ -657,6 +673,37 @@ module Ransack
             it { should_not include 'only_sort' }
             it { should include 'only_admin' }
           end
+
+          context 'when not defined in model, nor in ApplicationRecord' do
+            subject { Article.ransackable_attributes }
+
+            it "raises a helpful error" do
+              without_application_record_method(:ransackable_attributes) do
+                expect { subject }.to raise_error(RuntimeError, /Ransack needs Article attributes explicitly allowlisted/)
+              end
+            end
+          end
+
+          context 'when defined only in model by delegating to super' do
+            subject { Article.ransackable_attributes }
+
+            around do |example|
+              Article.singleton_class.define_method(:ransackable_attributes) do
+                super(nil) - super(nil)
+              end
+
+              example.run
+            ensure
+              Article.singleton_class.remove_method(:ransackable_attributes)
+            end
+
+            it "returns the allowlist in the model, and warns" do
+              without_application_record_method(:ransackable_attributes) do
+                expect { subject }.to output(/Ransack's builtin `ransackable_attributes` method is deprecated/).to_stderr
+                expect(subject).to be_empty
+              end
+            end
+          end
         end
 
         describe '#ransortable_attributes' do
@@ -689,6 +736,37 @@ module Ransack
           it { should include 'parent' }
           it { should include 'children' }
           it { should include 'articles' }
+
+          context 'when not defined in model, nor in ApplicationRecord' do
+            subject { Article.ransackable_associations }
+
+            it "raises a helpful error" do
+              without_application_record_method(:ransackable_associations) do
+                expect { subject }.to raise_error(RuntimeError, /Ransack needs Article associations explicitly allowlisted/)
+              end
+            end
+          end
+
+          context 'when defined only in model by delegating to super' do
+            subject { Article.ransackable_associations }
+
+            around do |example|
+              Article.singleton_class.define_method(:ransackable_associations) do
+                super(nil) - super(nil)
+              end
+
+              example.run
+            ensure
+              Article.singleton_class.remove_method(:ransackable_associations)
+            end
+
+            it "returns the allowlist in the model, and warns" do
+              without_application_record_method(:ransackable_associations) do
+                expect { subject }.to output(/Ransack's builtin `ransackable_associations` method is deprecated/).to_stderr
+                expect(subject).to be_empty
+              end
+            end
+          end
         end
 
         describe '#ransackable_scopes' do
@@ -704,6 +782,17 @@ module Ransack
         end
 
         private
+
+        def without_application_record_method(method)
+          ApplicationRecord.singleton_class.alias_method :"original_#{method}", :"#{method}"
+          ApplicationRecord.singleton_class.remove_method :"#{method}"
+
+          yield
+        ensure
+          ApplicationRecord.singleton_class.alias_method :"#{method}", :"original_#{method}"
+          ApplicationRecord.singleton_class.remove_method :"original_#{method}"
+        end
+
         def rails7_and_mysql
           ::ActiveRecord::VERSION::MAJOR >= 7 && ENV['DB'] == 'mysql'
         end

data/spec/ransack/configuration_spec.rb

@@ -20,7 +20,7 @@ module Ransack
       Ransack.configure do |config|
         config.add_predicate(
           :test_predicate_without_compound,
-          :compounds => false
+          compounds: false
           )
       end
       expect(Ransack.predicates)
@@ -138,8 +138,8 @@ module Ransack
       Ransack.configure do |config|
         config.add_predicate(
           :test_array_predicate,
-          :wants_array => true,
-          :compounds => true
+          wants_array: true,
+          compounds: true
           )
       end
 
@@ -153,11 +153,11 @@ module Ransack
         Ransack.configure do |config|
           config.add_predicate(
             :test_in_predicate,
-            :arel_predicate => 'in'
+            arel_predicate: 'in'
           )
           config.add_predicate(
             :test_not_in_predicate,
-            :arel_predicate => 'not_in'
+            arel_predicate: 'not_in'
           )
         end
 
@@ -171,13 +171,13 @@ module Ransack
         Ransack.configure do |config|
           config.add_predicate(
             :test_in_predicate_no_array,
-            :arel_predicate => 'in',
-            :wants_array => false
+            arel_predicate: 'in',
+            wants_array: false
           )
           config.add_predicate(
             :test_not_in_predicate_no_array,
-            :arel_predicate => 'not_in',
-            :wants_array => false
+            arel_predicate: 'not_in',
+            wants_array: false
           )
         end
 

data/spec/ransack/helpers/form_builder_spec.rb

@@ -26,7 +26,7 @@ module Ransack
       # @s.created_at_eq = date_values # This works in Rails 4.x but not 3.x
         @s.created_at_eq = [2011, 1, 2, 3, 4, 5] # so we have to do this
         html = @f.datetime_select(
-          :created_at_eq, :use_month_numbers => true, :include_seconds => true
+          :created_at_eq, use_month_numbers: true, include_seconds: true
           )
         date_values.each { |val| expect(html).to include date_select_html(val) }
       end
@@ -70,13 +70,13 @@ module Ransack
 
       describe '#sort_link' do
         it 'sort_link for ransack attribute' do
-          sort_link = @f.sort_link :name, :controller => 'people'
+          sort_link = @f.sort_link :name, controller: 'people'
           expect(sort_link).to match /people\?q(%5B|\[)s(%5D|\])=name\+asc/
           expect(sort_link).to match /sort_link/
           expect(sort_link).to match /Full Name<\/a>/
         end
         it 'sort_link for common attribute' do
-          sort_link = @f.sort_link :id, :controller => 'people'
+          sort_link = @f.sort_link :id, controller: 'people'
           expect(sort_link).to match /id<\/a>/
         end
       end
@@ -99,14 +99,14 @@ module Ransack
         it 'returns ransackable attributes for associations with :associations' do
           attributes = Person.ransackable_attributes +
             Article.ransackable_attributes.map { |a| "articles_#{a}" }
-          html = @f.attribute_select(:associations => ['articles'])
+          html = @f.attribute_select(associations: ['articles'])
           expect(html.split(/\n/).size).to eq(attributes.size)
           attributes.each do |attribute|
             expect(html).to match /<option value="#{attribute}">/
           end
         end
         it 'returns option groups for base and associations with :associations' do
-          html = @f.attribute_select(:associations => ['articles'])
+          html = @f.attribute_select(associations: ['articles'])
           [Person, Article].each do |model|
             expect(html).to match /<optgroup label="#{model}">/
           end
@@ -121,19 +121,19 @@ module Ransack
           end
         end
         it 'filters predicates with single-value :only' do
-          html = @f.predicate_select :only => 'eq'
+          html = @f.predicate_select only: 'eq'
           Predicate.names.reject { |k| k =~ /^eq/ }.each do |key|
             expect(html).not_to match /<option value="#{key}">/
           end
         end
         it 'filters predicates with multi-value :only' do
-          html = @f.predicate_select :only => [:eq, :lt]
+          html = @f.predicate_select only: [:eq, :lt]
           Predicate.names.reject { |k| k =~ /^(eq|lt)/ }.each do |key|
             expect(html).not_to match /<option value="#{key}">/
           end
         end
         it 'excludes compounds when compounds: false' do
-          html = @f.predicate_select :compounds => false
+          html = @f.predicate_select compounds: false
           Predicate.names.select { |k| k =~ /_(any|all)$/ }.each do |key|
             expect(html).not_to match /<option value="#{key}">/
           end

data/spec/ransack/helpers/form_helper_spec.rb

@@ -140,6 +140,32 @@ module Ransack
         }
       end
 
+      describe '#sort_link works even if search params are a string' do
+        before { @controller.view_context.params[:q] = 'input error' }
+        specify {
+          expect { @controller.view_context
+            .sort_link(
+              Person.ransack({}),
+              :name,
+              controller: 'people'
+            )
+          }.not_to raise_error
+        }
+      end
+
+      describe '#sort_url works even if search params are a string' do
+        before { @controller.view_context.params[:q] = 'input error' }
+        specify {
+          expect { @controller.view_context
+            .sort_url(
+              Person.ransack({}),
+              :name,
+              controller: 'people'
+            )
+          }.not_to raise_error
+        }
+      end
+
       describe '#sort_link with search_key defined as a string' do
         subject { @controller.view_context
           .sort_link(
@@ -474,7 +500,7 @@ module Ransack
           describe 'with symbol q:, #sort_link should include search params' do
             subject { @controller.view_context.sort_link(Person.ransack, :name) }
             let(:params) { ActionController::Parameters.new(
-              { :q => { name_eq: 'TEST' }, controller: 'people' }
+              { q: { name_eq: 'TEST' }, controller: 'people' }
               ) }
             before { @controller.instance_variable_set(:@params, params) }
 
@@ -489,7 +515,7 @@ module Ransack
           describe 'with symbol q:, #sort_url should include search params' do
             subject { @controller.view_context.sort_url(Person.ransack, :name) }
             let(:params) { ActionController::Parameters.new(
-              { :q => { name_eq: 'TEST' }, controller: 'people' }
+              { q: { name_eq: 'TEST' }, controller: 'people' }
               ) }
             before { @controller.instance_variable_set(:@params, params) }
 
@@ -782,6 +808,14 @@ module Ransack
         it { should_not match /href=".*foo/ }
       end
 
+      describe "#sort_link ignores host in params" do
+        before { @controller.view_context.params[:host] = 'other_domain' }
+        subject { @controller.view_context.sort_link(Person.ransack, :name, controller: 'people') }
+
+        it { should match /href="\/people\?q/ }
+        it { should_not match /href=".*other_domain/ }
+      end
+
       describe '#search_form_for with default format' do
         subject { @controller.view_context
           .search_form_for(Person.ransack) {} }

data/spec/ransack/nodes/condition_spec.rb

@@ -74,6 +74,30 @@ module Ransack
           specify { expect(subject).to be_nil }
         end
       end
+
+      context 'with an empty predicate' do
+        subject {
+          Condition.extract(
+            Context.for(Person), 'full_name', Person.first.name
+          )
+        }
+
+        context "when default_predicate = nil" do
+          before do
+            Ransack.configure { |c| c.default_predicate = nil }
+          end
+
+          specify { expect(subject).to be_nil }
+        end
+
+        context "when default_predicate = 'eq'" do
+          before do
+            Ransack.configure { |c| c.default_predicate = 'eq' }
+          end
+
+          specify { expect(subject).to eq Condition.extract(Context.for(Person), 'full_name_eq', Person.first.name) }
+        end
+      end
     end
   end
 end

data/spec/ransack/predicate_spec.rb

@@ -35,6 +35,13 @@ module Ransack
         @s.awesome_eq = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a = condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_eq = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} = #{val}/
+      end
     end
 
     describe 'lteq' do
@@ -56,6 +63,13 @@ module Ransack
         @s.salary_lteq = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a <= condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_lteq = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} <= #{val}/
+      end
     end
 
     describe 'lt' do
@@ -77,6 +91,13 @@ module Ransack
         @s.salary_lt = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a = condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_lt = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} < #{val}/
+      end
     end
 
     describe 'gteq' do
@@ -98,6 +119,13 @@ module Ransack
         @s.salary_gteq = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a >= condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_gteq = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} >= #{val}/
+      end
     end
 
     describe 'gt' do
@@ -119,6 +147,13 @@ module Ransack
         @s.salary_gt = nil
         expect(@s.result.to_sql).not_to match /WHERE/
       end
+
+      it 'generates a > condition with a huge integer value' do
+        val = 123456789012345678901
+        @s.salary_gt = val
+        field = "#{quote_table_name("people")}.#{quote_column_name("salary")}"
+        expect(@s.result.to_sql).to match /#{field} > #{val}/
+      end
     end
 
     describe 'cont' do
@@ -368,7 +403,7 @@ module Ransack
         expect(@s.result.to_sql).to match /#{field} IS NULL/
       end
 
-      describe 'with association qeury' do
+      describe 'with association query' do
         it 'generates a value IS NOT NULL query' do
           @s.comments_id_not_null = true
           sql = @s.result.to_sql

data/spec/ransack/translate_spec.rb

@@ -8,7 +8,7 @@ module Ransack
         ar_translation = ::Namespace::Article.human_attribute_name(:title)
         ransack_translation = Ransack::Translate.attribute(
           :title,
-          :context => ::Namespace::Article.ransack.context
+          context: ::Namespace::Article.ransack.context
           )
         expect(ransack_translation).to eq ar_translation
       end

data/spec/support/schema.rb

@@ -28,7 +28,24 @@ else
   )
 end
 
-class Person < ActiveRecord::Base
+# This is just a test app with no sensitive data, so we explicitly allowlist all
+# attributes and associations for search. In general, end users should
+# explicitly authorize each model, but this shows a way to configure the
+# unrestricted default behavior of versions prior to Ransack 4.
+#
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+
+  def self.ransackable_attributes(auth_object = nil)
+    authorizable_ransackable_attributes
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    authorizable_ransackable_associations
+  end
+end
+
+class Person < ApplicationRecord
   default_scope { order(id: :desc) }
   belongs_to :parent, class_name: 'Person', foreign_key: :parent_id
   has_many   :children, class_name: 'Person', foreign_key: :parent_id
@@ -111,9 +128,9 @@ class Person < ActiveRecord::Base
 
   def self.ransackable_attributes(auth_object = nil)
     if auth_object == :admin
-      super - ['only_sort']
+      authorizable_ransackable_attributes - ['only_sort']
     else
-      super - ['only_sort', 'only_admin']
+      authorizable_ransackable_attributes - ['only_sort', 'only_admin']
     end
   end
 
@@ -129,7 +146,7 @@ end
 class Musician < Person
 end
 
-class Article < ActiveRecord::Base
+class Article < ApplicationRecord
   belongs_to :person
   has_many :comments
   has_and_belongs_to_many :tags
@@ -182,7 +199,7 @@ end
 class StoryArticle < Article
 end
 
-class Recommendation < ActiveRecord::Base
+class Recommendation < ApplicationRecord
   belongs_to :person
   belongs_to :target_person, class_name: 'Person'
   belongs_to :article
@@ -200,26 +217,40 @@ module Namespace
   end
 end
 
-class Comment < ActiveRecord::Base
+class Comment < ApplicationRecord
   belongs_to :article
   belongs_to :person
 
   default_scope { where(disabled: false) }
 end
 
-class Tag < ActiveRecord::Base
+class Tag < ApplicationRecord
   has_and_belongs_to_many :articles
 end
 
-class Note < ActiveRecord::Base
+class Note < ApplicationRecord
   belongs_to :notable, polymorphic: true
 end
 
-class Account < ActiveRecord::Base
+class Account < ApplicationRecord
   belongs_to :agent_account, class_name: "Account"
   belongs_to :trade_account, class_name: "Account"
 end
 
+class Address < ApplicationRecord
+  has_one :organization
+end
+
+class Organization < ApplicationRecord
+  belongs_to :address
+  has_many :employees
+end
+
+class Employee < ApplicationRecord
+  belongs_to :organization
+  has_one :address, through: :organization
+end
+
 module Schema
   def self.create
     ActiveRecord::Migration.verbose = false
@@ -283,6 +314,20 @@ module Schema
         t.belongs_to :agent_account
         t.belongs_to :trade_account
       end
+
+      create_table :addresses, force: true do |t|
+        t.string :city
+      end
+
+      create_table :organizations, force: true do |t|
+        t.string :name
+        t.integer :address_id
+      end
+
+      create_table :employees, force: true do |t|
+        t.string :name
+        t.integer :organization_id
+      end
     end
 
     10.times do
@@ -308,7 +353,7 @@ module Schema
 end
 
 module SubDB
-  class Base < ActiveRecord::Base
+  class Base < ApplicationRecord
     self.abstract_class = true
     establish_connection(
       adapter: 'sqlite3',