rubocop-openproject 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 216a0869e29d95a92306d0d02e2bc340b7914733f86d56c4f27cce5fbcf8e466
-  data.tar.gz: d3ca3bc8f408a56843a5cbd7f8d69a8a1eadc6bda76c5ea8139201181a1e0de8
+  metadata.gz: 275bc3f46bfa1dd8ecc461306e5671cadbce64a83a571044d8fff2d08af163a0
+  data.tar.gz: 6c492b822185a201a389c3fd035fed0f02b60a44a87497090bf34d57c422af52
 SHA512:
-  metadata.gz: 7041d99b3774a92ae145c93bf64ec52628aee9b04ebd08b04a3803c2d662f956404893306d8274762d0b1050c2f6787b135cc15f58d514e0d508bc8673487881
-  data.tar.gz: 989852deeca12ee26502f448d85e660f6539fca125cd5f174650acf2646da07eef463db5aa025c30d46976484730d2bc0cd363d9953af42fb25f688e24fd3541
+  metadata.gz: 65aacad0b8c4b61e690253a4b86169bdac9b598df89da79f98995e113fb14cad688395495863382a023c002c1ef4db101eb1d0ef162be0571c2b078d38443c8f
+  data.tar.gz: 0ceddce3d195d754dbdf194de88a68a284e86c099ee6f4d9d2069caef736bfb7b9a1ea9d4d9f1ac17e502321814c87115c197bed15bc47486a17042202b7ede9

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 ## [Unreleased]
 
+## [0.5.0] - 2026-05-05
+
+- Add `OpenProject/NoParamsInWorkPackageWhereId` cop to catch
+  `WorkPackage.where(id: params[...])` patterns that silently drop semantic
+  identifiers (e.g. `"PROJ-42"`) when PostgreSQL casts the string to integer 0.
+
+## [0.4.0] - 2026-03-27
+
+- Add NoNotImplementedError cop
+
 ## [0.3.0] - 2025-07-11
 
 - Remove redundant NoDoEndBlockWithRSpecCapybaraMatcherInExpect cop

data/config/default.yml

@@ -8,6 +8,16 @@ OpenProject/NoDoEndBlockWithRSpecCapybaraMatcherInExpect:
   Enabled: true
   VersionAdded: '0.1.0'
 
+OpenProject/NoNotImplementedError:
+  Description: 'Do not raise `NotImplementedError` to signal an unimplemented abstract method.'
+  Enabled: true
+  VersionAdded: '0.4.0'
+
+OpenProject/NoParamsInWorkPackageWhereId:
+  Description: 'Avoid `WorkPackage.where(id: params[...])`; use `where_display_id_in` to honour semantic identifiers.'
+  Enabled: true
+  VersionAdded: '0.5.0'
+
 OpenProject/NoSleepInFeatureSpecs:
   Description: 'Avoid using `sleep` greater than 1 second in feature specs.'
   Enabled: true

data/lib/rubocop/cop/open_project/no_not_implemented_error.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module OpenProject
+      # Warns against using a `NotImplementedError` exception when a method
+      # should be implemented by a subclass or including module. Ruby's
+      # `NotImplementedError` is reserved for platform-specific missing
+      # features (e.g., methods depending on `fsync` or `fork`), not for
+      # abstract method patterns.
+      #
+      # @example
+      #   # bad
+      #   raise NotImplementedError
+      #
+      #   # bad
+      #   raise NotImplementedError, "Subclasses must implement #foo"
+      #
+      #   # bad
+      #   raise NotImplementedError.new("Subclasses must implement #foo")
+      #
+      #   # bad
+      #   fail NotImplementedError
+      #
+      #   # good
+      #   raise NotYetImplementedError
+      #
+      #   # good
+      #   raise SubclassResponsibilityError, "#{self.class} must implement #foo"
+      #
+      class NoNotImplementedError < Base
+        MSG = "Do not raise `NotImplementedError` to signal an unimplemented abstract method. " \
+              "Ruby's `NotImplementedError` is reserved for platform-specific missing features. " \
+              "Raise a descriptive custom error class instead."
+
+        RESTRICT_ON_SEND = %i[raise fail].freeze
+
+        def_node_matcher :raises_not_implemented_error?, <<~PATTERN
+          {
+            (send nil? {:raise :fail} (const nil? :NotImplementedError) ...)
+            (send nil? {:raise :fail} (send (const nil? :NotImplementedError) :new ...) ...)
+          }
+        PATTERN
+
+        def on_send(node)
+          return unless raises_not_implemented_error?(node)
+
+          add_offense(node)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/open_project/no_params_in_work_package_where_id.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module OpenProject
+      # Flags `WorkPackage.where(id: params[...])` patterns. With semantic work
+      # package identifiers enabled, params may carry strings like "PROJ-42"
+      # that PostgreSQL silently casts to integer 0 inside `where(id: ...)`,
+      # producing an empty result set instead of an error. Use the dedicated
+      # resolver `WorkPackage.where_display_id_in(...)` which partitions
+      # numeric and semantic inputs and consults the alias table.
+      #
+      # The cop fires when the receiver chain demonstrably resolves to a
+      # WorkPackage relation — either rooted at the `WorkPackage` constant or
+      # passing through an association call whose name ends in
+      # `work_packages` (e.g. `project.work_packages`,
+      # `user.assigned_work_packages`) — and the value is derived from
+      # `params[...]`. Internal subquery composition
+      # (`where(id: scope.pluck(:id))`) and primary-key literals are left
+      # alone.
+      #
+      # @example
+      #   # bad
+      #   WorkPackage.where(id: params[:work_package_id])
+      #
+      #   # bad
+      #   WorkPackage.where(id: params[:work_package_id] || params[:ids])
+      #
+      #   # bad
+      #   WorkPackage.includes(:project).where(id: params[:ids])
+      #
+      #   # bad
+      #   project.work_packages.where(id: params[:work_package_id])
+      #
+      #   # bad
+      #   current_user.assigned_work_packages.where(id: params[:ids])
+      #
+      #   # good
+      #   WorkPackage.where_display_id_in(params[:work_package_id])
+      #
+      #   # good
+      #   project.work_packages.where_display_id_in(params[:work_package_id])
+      #
+      #   # good (primary key, not user input)
+      #   WorkPackage.where(id: 42)
+      #
+      #   # good (subquery, not user input)
+      #   WorkPackage.where(id: other_scope.select(:id))
+      class NoParamsInWorkPackageWhereId < Base
+        extend AutoCorrector
+
+        MSG = "Avoid `WorkPackage.where(id: params[...])` — semantic identifiers like " \
+              '"PROJ-42" are silently coerced to 0 by the SQL cast. ' \
+              "Use `WorkPackage.where_display_id_in(...)` instead."
+
+        RESTRICT_ON_SEND = %i[where].freeze
+
+        def_node_matcher :params_access?, <<~PATTERN
+          (send (send nil? :params) :[] _)
+        PATTERN
+
+        # A receiver that traces back through any chain of sends to either:
+        #   - the `WorkPackage` constant: `WorkPackage`, `WorkPackage.foo`, ...
+        #   - an association call whose name ends in `work_packages`:
+        #     `project.work_packages`, `user.assigned_work_packages`, ...
+        # The recursion handles arbitrarily deep chains in either form.
+        def_node_matcher :work_package_relation?, <<~PATTERN
+          {
+            (const nil? :WorkPackage)
+            (send _ #work_package_association? ...)
+            (send #work_package_relation? _ ...)
+          }
+        PATTERN
+
+        def on_send(node)
+          return unless work_package_relation?(node.receiver)
+
+          hash_arg = node.first_argument
+          id_value = id_value_from_hash(hash_arg)
+          return unless id_value && value_uses_params?(id_value)
+
+          add_offense(node) do |corrector|
+            next unless autocorrectable_value?(id_value) && sole_id_predicate?(hash_arg)
+
+            corrector.replace(node, "#{node.receiver.source}.where_display_id_in(#{id_value.source})")
+          end
+        end
+
+        private
+
+        def id_value_from_hash(arg)
+          return unless arg&.hash_type?
+
+          pair = arg.pairs.find { |p| p.key.sym_type? && p.key.value == :id }
+          pair&.value
+        end
+
+        # Refuse to autocorrect when the hash carries additional predicates
+        # (e.g. `where(id: params[:id], project_id: 5)`); rewriting to
+        # `where_display_id_in(params[:id])` would silently drop them.
+        def sole_id_predicate?(hash_arg)
+          hash_arg.pairs.size == 1
+        end
+
+        def value_uses_params?(node)
+          return true if params_access?(node)
+
+          node.each_descendant(:send).any? { |descendant| params_access?(descendant) }
+        end
+
+        def autocorrectable_value?(node)
+          return true if params_access?(node)
+          return false unless node.or_type?
+
+          node.children.all? { |child| autocorrectable_value?(child) }
+        end
+
+        def work_package_association?(method_name)
+          method_name.to_s.end_with?("work_packages")
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/open_project_cops.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
 require_relative "open_project/add_preview_for_view_component"
+require_relative "open_project/no_not_implemented_error"
+require_relative "open_project/no_params_in_work_package_where_id"
 require_relative "open_project/use_service_result_factory_methods"
 require_relative "open_project/no_sleep_in_feature_specs"

data/lib/rubocop/open_project/version.rb

@@ -2,6 +2,6 @@
 
 module RuboCop
   module OpenProject
-    VERSION = "0.3.0"
+    VERSION = "0.5.0"
   end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-openproject
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - OpenProject GmbH
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-07-11 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -40,6 +39,8 @@ files:
 - config/default.yml
 - lib/rubocop-openproject.rb
 - lib/rubocop/cop/open_project/add_preview_for_view_component.rb
+- lib/rubocop/cop/open_project/no_not_implemented_error.rb
+- lib/rubocop/cop/open_project/no_params_in_work_package_where_id.rb
 - lib/rubocop/cop/open_project/no_sleep_in_feature_specs.rb
 - lib/rubocop/cop/open_project/use_service_result_factory_methods.rb
 - lib/rubocop/cop/open_project_cops.rb
@@ -54,7 +55,6 @@ metadata:
   source_code_uri: https://github.com/opf/rubocop-openproject
   changelog_uri: https://github.com/opf/rubocop-openproject/blob/main/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -69,8 +69,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: RuboCop cops for OpenProject
 test_files: []