rubocop-openproject 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9cfe3bab3bbbc3032190c71f7e824eb2d451f854248d076aca30db79723f346b
-  data.tar.gz: b265782c32033cd8315f9a0b3bef3cb4cf7c0bdcf01d3fb85de59559fa9a9935
+  metadata.gz: 275bc3f46bfa1dd8ecc461306e5671cadbce64a83a571044d8fff2d08af163a0
+  data.tar.gz: 6c492b822185a201a389c3fd035fed0f02b60a44a87497090bf34d57c422af52
 SHA512:
-  metadata.gz: cde9e717e29db386ab61514b4533f0861956fe2aefe5eeadc9b5baf0c12fb4fa3851f565c0cab2ca9919ed652c27623a45ef1f41ed9c6f2f9bce81fcf2f9aff7
-  data.tar.gz: 690ebd432e8719ba28f5bd2e146304883626dde1cdd8fab45a6dc518cf16401615c3cdab7382c258db7cc166b40baac9e512c915a26a59aafe5fbb0897d74d22
+  metadata.gz: 65aacad0b8c4b61e690253a4b86169bdac9b598df89da79f98995e113fb14cad688395495863382a023c002c1ef4db101eb1d0ef162be0571c2b078d38443c8f
+  data.tar.gz: 0ceddce3d195d754dbdf194de88a68a284e86c099ee6f4d9d2069caef736bfb7b9a1ea9d4d9f1ac17e502321814c87115c197bed15bc47486a17042202b7ede9

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 ## [Unreleased]
 
+## [0.5.0] - 2026-05-05
+
+- Add `OpenProject/NoParamsInWorkPackageWhereId` cop to catch
+  `WorkPackage.where(id: params[...])` patterns that silently drop semantic
+  identifiers (e.g. `"PROJ-42"`) when PostgreSQL casts the string to integer 0.
+
 ## [0.4.0] - 2026-03-27
 
 - Add NoNotImplementedError cop

data/config/default.yml

@@ -13,6 +13,11 @@ OpenProject/NoNotImplementedError:
   Enabled: true
   VersionAdded: '0.4.0'
 
+OpenProject/NoParamsInWorkPackageWhereId:
+  Description: 'Avoid `WorkPackage.where(id: params[...])`; use `where_display_id_in` to honour semantic identifiers.'
+  Enabled: true
+  VersionAdded: '0.5.0'
+
 OpenProject/NoSleepInFeatureSpecs:
   Description: 'Avoid using `sleep` greater than 1 second in feature specs.'
   Enabled: true

data/lib/rubocop/cop/open_project/no_params_in_work_package_where_id.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module OpenProject
+      # Flags `WorkPackage.where(id: params[...])` patterns. With semantic work
+      # package identifiers enabled, params may carry strings like "PROJ-42"
+      # that PostgreSQL silently casts to integer 0 inside `where(id: ...)`,
+      # producing an empty result set instead of an error. Use the dedicated
+      # resolver `WorkPackage.where_display_id_in(...)` which partitions
+      # numeric and semantic inputs and consults the alias table.
+      #
+      # The cop fires when the receiver chain demonstrably resolves to a
+      # WorkPackage relation — either rooted at the `WorkPackage` constant or
+      # passing through an association call whose name ends in
+      # `work_packages` (e.g. `project.work_packages`,
+      # `user.assigned_work_packages`) — and the value is derived from
+      # `params[...]`. Internal subquery composition
+      # (`where(id: scope.pluck(:id))`) and primary-key literals are left
+      # alone.
+      #
+      # @example
+      #   # bad
+      #   WorkPackage.where(id: params[:work_package_id])
+      #
+      #   # bad
+      #   WorkPackage.where(id: params[:work_package_id] || params[:ids])
+      #
+      #   # bad
+      #   WorkPackage.includes(:project).where(id: params[:ids])
+      #
+      #   # bad
+      #   project.work_packages.where(id: params[:work_package_id])
+      #
+      #   # bad
+      #   current_user.assigned_work_packages.where(id: params[:ids])
+      #
+      #   # good
+      #   WorkPackage.where_display_id_in(params[:work_package_id])
+      #
+      #   # good
+      #   project.work_packages.where_display_id_in(params[:work_package_id])
+      #
+      #   # good (primary key, not user input)
+      #   WorkPackage.where(id: 42)
+      #
+      #   # good (subquery, not user input)
+      #   WorkPackage.where(id: other_scope.select(:id))
+      class NoParamsInWorkPackageWhereId < Base
+        extend AutoCorrector
+
+        MSG = "Avoid `WorkPackage.where(id: params[...])` — semantic identifiers like " \
+              '"PROJ-42" are silently coerced to 0 by the SQL cast. ' \
+              "Use `WorkPackage.where_display_id_in(...)` instead."
+
+        RESTRICT_ON_SEND = %i[where].freeze
+
+        def_node_matcher :params_access?, <<~PATTERN
+          (send (send nil? :params) :[] _)
+        PATTERN
+
+        # A receiver that traces back through any chain of sends to either:
+        #   - the `WorkPackage` constant: `WorkPackage`, `WorkPackage.foo`, ...
+        #   - an association call whose name ends in `work_packages`:
+        #     `project.work_packages`, `user.assigned_work_packages`, ...
+        # The recursion handles arbitrarily deep chains in either form.
+        def_node_matcher :work_package_relation?, <<~PATTERN
+          {
+            (const nil? :WorkPackage)
+            (send _ #work_package_association? ...)
+            (send #work_package_relation? _ ...)
+          }
+        PATTERN
+
+        def on_send(node)
+          return unless work_package_relation?(node.receiver)
+
+          hash_arg = node.first_argument
+          id_value = id_value_from_hash(hash_arg)
+          return unless id_value && value_uses_params?(id_value)
+
+          add_offense(node) do |corrector|
+            next unless autocorrectable_value?(id_value) && sole_id_predicate?(hash_arg)
+
+            corrector.replace(node, "#{node.receiver.source}.where_display_id_in(#{id_value.source})")
+          end
+        end
+
+        private
+
+        def id_value_from_hash(arg)
+          return unless arg&.hash_type?
+
+          pair = arg.pairs.find { |p| p.key.sym_type? && p.key.value == :id }
+          pair&.value
+        end
+
+        # Refuse to autocorrect when the hash carries additional predicates
+        # (e.g. `where(id: params[:id], project_id: 5)`); rewriting to
+        # `where_display_id_in(params[:id])` would silently drop them.
+        def sole_id_predicate?(hash_arg)
+          hash_arg.pairs.size == 1
+        end
+
+        def value_uses_params?(node)
+          return true if params_access?(node)
+
+          node.each_descendant(:send).any? { |descendant| params_access?(descendant) }
+        end
+
+        def autocorrectable_value?(node)
+          return true if params_access?(node)
+          return false unless node.or_type?
+
+          node.children.all? { |child| autocorrectable_value?(child) }
+        end
+
+        def work_package_association?(method_name)
+          method_name.to_s.end_with?("work_packages")
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/open_project_cops.rb

@@ -2,5 +2,6 @@
 
 require_relative "open_project/add_preview_for_view_component"
 require_relative "open_project/no_not_implemented_error"
+require_relative "open_project/no_params_in_work_package_where_id"
 require_relative "open_project/use_service_result_factory_methods"
 require_relative "open_project/no_sleep_in_feature_specs"

data/lib/rubocop/open_project/version.rb

@@ -2,6 +2,6 @@
 
 module RuboCop
   module OpenProject
-    VERSION = "0.4.0"
+    VERSION = "0.5.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-openproject
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - OpenProject GmbH
@@ -40,6 +40,7 @@ files:
 - lib/rubocop-openproject.rb
 - lib/rubocop/cop/open_project/add_preview_for_view_component.rb
 - lib/rubocop/cop/open_project/no_not_implemented_error.rb
+- lib/rubocop/cop/open_project/no_params_in_work_package_where_id.rb
 - lib/rubocop/cop/open_project/no_sleep_in_feature_specs.rb
 - lib/rubocop/cop/open_project/use_service_result_factory_methods.rb
 - lib/rubocop/cop/open_project_cops.rb