RubyGems - rubocop-openproject - Versions diffs - 0.3.0 → 0.5.0 - Mend

rubocop-openproject 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/config/default.yml +10 -0
data/lib/rubocop/cop/open_project/no_not_implemented_error.rb +53 -0
data/lib/rubocop/cop/open_project/no_params_in_work_package_where_id.rb +124 -0
data/lib/rubocop/cop/open_project_cops.rb +2 -0
data/lib/rubocop/open_project/version.rb +1 -1
metadata +5 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 216a0869e29d95a92306d0d02e2bc340b7914733f86d56c4f27cce5fbcf8e466
-  data.tar.gz: d3ca3bc8f408a56843a5cbd7f8d69a8a1eadc6bda76c5ea8139201181a1e0de8
+  metadata.gz: 275bc3f46bfa1dd8ecc461306e5671cadbce64a83a571044d8fff2d08af163a0
+  data.tar.gz: 6c492b822185a201a389c3fd035fed0f02b60a44a87497090bf34d57c422af52
 SHA512:
-  metadata.gz: 7041d99b3774a92ae145c93bf64ec52628aee9b04ebd08b04a3803c2d662f956404893306d8274762d0b1050c2f6787b135cc15f58d514e0d508bc8673487881
-  data.tar.gz: 989852deeca12ee26502f448d85e660f6539fca125cd5f174650acf2646da07eef463db5aa025c30d46976484730d2bc0cd363d9953af42fb25f688e24fd3541
+  metadata.gz: 65aacad0b8c4b61e690253a4b86169bdac9b598df89da79f98995e113fb14cad688395495863382a023c002c1ef4db101eb1d0ef162be0571c2b078d38443c8f
+  data.tar.gz: 0ceddce3d195d754dbdf194de88a68a284e86c099ee6f4d9d2069caef736bfb7b9a1ea9d4d9f1ac17e502321814c87115c197bed15bc47486a17042202b7ede9

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,15 @@
 ## [Unreleased]
+## [0.5.0] - 2026-05-05
+- Add `OpenProject/NoParamsInWorkPackageWhereId` cop to catch
+  `WorkPackage.where(id: params[...])` patterns that silently drop semantic
+  identifiers (e.g. `"PROJ-42"`) when PostgreSQL casts the string to integer 0.
+## [0.4.0] - 2026-03-27
+- Add NoNotImplementedError cop
 ## [0.3.0] - 2025-07-11
 - Remove redundant NoDoEndBlockWithRSpecCapybaraMatcherInExpect cop

data/config/default.yml CHANGED Viewed

@@ -8,6 +8,16 @@ OpenProject/NoDoEndBlockWithRSpecCapybaraMatcherInExpect:
   Enabled: true
   VersionAdded: '0.1.0'
+OpenProject/NoNotImplementedError:
+  Description: 'Do not raise `NotImplementedError` to signal an unimplemented abstract method.'
+  Enabled: true
+  VersionAdded: '0.4.0'
+OpenProject/NoParamsInWorkPackageWhereId:
+  Description: 'Avoid `WorkPackage.where(id: params[...])`; use `where_display_id_in` to honour semantic identifiers.'
+  Enabled: true
+  VersionAdded: '0.5.0'
 OpenProject/NoSleepInFeatureSpecs:
   Description: 'Avoid using `sleep` greater than 1 second in feature specs.'
   Enabled: true

data/lib/rubocop/cop/open_project/no_not_implemented_error.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+module RuboCop
+  module Cop
+    module OpenProject
+      # Warns against using a `NotImplementedError` exception when a method
+      # should be implemented by a subclass or including module. Ruby's
+      # `NotImplementedError` is reserved for platform-specific missing
+      # features (e.g., methods depending on `fsync` or `fork`), not for
+      # abstract method patterns.
+      #
+      # @example
+      #   # bad
+      #   raise NotImplementedError
+      #
+      #   # bad
+      #   raise NotImplementedError, "Subclasses must implement #foo"
+      #
+      #   # bad
+      #   raise NotImplementedError.new("Subclasses must implement #foo")
+      #
+      #   # bad
+      #   fail NotImplementedError
+      #
+      #   # good
+      #   raise NotYetImplementedError
+      #
+      #   # good
+      #   raise SubclassResponsibilityError, "#{self.class} must implement #foo"
+      #
+      class NoNotImplementedError < Base
+        MSG = "Do not raise `NotImplementedError` to signal an unimplemented abstract method. " \
+              "Ruby's `NotImplementedError` is reserved for platform-specific missing features. " \
+              "Raise a descriptive custom error class instead."
+        RESTRICT_ON_SEND = %i[raise fail].freeze
+        def_node_matcher :raises_not_implemented_error?, <<~PATTERN
+          {
+            (send nil? {:raise :fail} (const nil? :NotImplementedError) ...)
+            (send nil? {:raise :fail} (send (const nil? :NotImplementedError) :new ...) ...)
+          }
+        PATTERN
+        def on_send(node)
+          return unless raises_not_implemented_error?(node)
+          add_offense(node)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/open_project/no_params_in_work_package_where_id.rb ADDED Viewed

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+module RuboCop
+  module Cop
+    module OpenProject
+      # Flags `WorkPackage.where(id: params[...])` patterns. With semantic work
+      # package identifiers enabled, params may carry strings like "PROJ-42"
+      # that PostgreSQL silently casts to integer 0 inside `where(id: ...)`,
+      # producing an empty result set instead of an error. Use the dedicated
+      # resolver `WorkPackage.where_display_id_in(...)` which partitions
+      # numeric and semantic inputs and consults the alias table.
+      #
+      # The cop fires when the receiver chain demonstrably resolves to a
+      # WorkPackage relation — either rooted at the `WorkPackage` constant or
+      # passing through an association call whose name ends in
+      # `work_packages` (e.g. `project.work_packages`,
+      # `user.assigned_work_packages`) — and the value is derived from
+      # `params[...]`. Internal subquery composition
+      # (`where(id: scope.pluck(:id))`) and primary-key literals are left
+      # alone.
+      #
+      # @example
+      #   # bad
+      #   WorkPackage.where(id: params[:work_package_id])
+      #
+      #   # bad
+      #   WorkPackage.where(id: params[:work_package_id] || params[:ids])
+      #
+      #   # bad
+      #   WorkPackage.includes(:project).where(id: params[:ids])
+      #
+      #   # bad
+      #   project.work_packages.where(id: params[:work_package_id])
+      #
+      #   # bad
+      #   current_user.assigned_work_packages.where(id: params[:ids])
+      #
+      #   # good
+      #   WorkPackage.where_display_id_in(params[:work_package_id])
+      #
+      #   # good
+      #   project.work_packages.where_display_id_in(params[:work_package_id])
+      #
+      #   # good (primary key, not user input)
+      #   WorkPackage.where(id: 42)
+      #
+      #   # good (subquery, not user input)
+      #   WorkPackage.where(id: other_scope.select(:id))
+      class NoParamsInWorkPackageWhereId < Base
+        extend AutoCorrector
+        MSG = "Avoid `WorkPackage.where(id: params[...])` — semantic identifiers like " \
+              '"PROJ-42" are silently coerced to 0 by the SQL cast. ' \
+              "Use `WorkPackage.where_display_id_in(...)` instead."
+        RESTRICT_ON_SEND = %i[where].freeze
+        def_node_matcher :params_access?, <<~PATTERN
+          (send (send nil? :params) :[] _)
+        PATTERN
+        # A receiver that traces back through any chain of sends to either:
+        #   - the `WorkPackage` constant: `WorkPackage`, `WorkPackage.foo`, ...
+        #   - an association call whose name ends in `work_packages`:
+        #     `project.work_packages`, `user.assigned_work_packages`, ...
+        # The recursion handles arbitrarily deep chains in either form.
+        def_node_matcher :work_package_relation?, <<~PATTERN
+          {
+            (const nil? :WorkPackage)
+            (send _ #work_package_association? ...)
+            (send #work_package_relation? _ ...)
+          }
+        PATTERN
+        def on_send(node)
+          return unless work_package_relation?(node.receiver)
+          hash_arg = node.first_argument
+          id_value = id_value_from_hash(hash_arg)
+          return unless id_value && value_uses_params?(id_value)
+          add_offense(node) do |corrector|
+            next unless autocorrectable_value?(id_value) && sole_id_predicate?(hash_arg)
+            corrector.replace(node, "#{node.receiver.source}.where_display_id_in(#{id_value.source})")
+          end
+        end
+        private
+        def id_value_from_hash(arg)
+          return unless arg&.hash_type?
+          pair = arg.pairs.find { |p| p.key.sym_type? && p.key.value == :id }
+          pair&.value
+        end
+        # Refuse to autocorrect when the hash carries additional predicates
+        # (e.g. `where(id: params[:id], project_id: 5)`); rewriting to
+        # `where_display_id_in(params[:id])` would silently drop them.
+        def sole_id_predicate?(hash_arg)
+          hash_arg.pairs.size == 1
+        end
+        def value_uses_params?(node)
+          return true if params_access?(node)
+          node.each_descendant(:send).any? { |descendant| params_access?(descendant) }
+        end
+        def autocorrectable_value?(node)
+          return true if params_access?(node)
+          return false unless node.or_type?
+          node.children.all? { |child| autocorrectable_value?(child) }
+        end
+        def work_package_association?(method_name)
+          method_name.to_s.end_with?("work_packages")
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/open_project_cops.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 require_relative "open_project/add_preview_for_view_component"
+require_relative "open_project/no_not_implemented_error"
+require_relative "open_project/no_params_in_work_package_where_id"
 require_relative "open_project/use_service_result_factory_methods"
 require_relative "open_project/no_sleep_in_feature_specs"

data/lib/rubocop/open_project/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module RuboCop
   module OpenProject
-    VERSION = "0.3.0"
+    VERSION = "0.5.0"
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-openproject
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - OpenProject GmbH
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-07-11 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -40,6 +39,8 @@ files:
 - config/default.yml
 - lib/rubocop-openproject.rb
 - lib/rubocop/cop/open_project/add_preview_for_view_component.rb
+- lib/rubocop/cop/open_project/no_not_implemented_error.rb
+- lib/rubocop/cop/open_project/no_params_in_work_package_where_id.rb
 - lib/rubocop/cop/open_project/no_sleep_in_feature_specs.rb
 - lib/rubocop/cop/open_project/use_service_result_factory_methods.rb
 - lib/rubocop/cop/open_project_cops.rb
@@ -54,7 +55,6 @@ metadata:
   source_code_uri: https://github.com/opf/rubocop-openproject
   changelog_uri: https://github.com/opf/rubocop-openproject/blob/main/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -69,8 +69,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: RuboCop cops for OpenProject
 test_files: []