lib/ransack/adapters/active_record/base.rb
module Ransack module Adapters module ActiveRecord module Base def self.extended(base) base.class_eval do class_attribute :_ransackers class_attribute :_ransack_aliases self._ransackers ||= {} self._ransack_aliases ||= {} end end def ransack(params = {}, options = {}) Search.new(self, params, options) end def ransack!(params = {}, options = {}) ransack(params, options.merge(ignore_unknown_conditions: false)) end def ransacker(name, opts = {}, &block) self._ransackers = _ransackers.merge name.to_s => Ransacker .new(self, name, opts, &block) end def ransack_alias(new_name, old_name) self._ransack_aliases = _ransack_aliases.merge new_name.to_s => old_name.to_s end # Ransackable_attributes, by default, returns all column names # and any defined ransackers as an array of strings. # For overriding with a whitelist array of strings. # def ransackable_attributes(auth_object = nil) @ransackable_attributes ||= deprecated_ransackable_list(:ransackable_attributes) end # Ransackable_associations, by default, returns the names # of all associations as an array of strings. # For overriding with a whitelist array of strings. # def ransackable_associations(auth_object = nil) @ransackable_associations ||= deprecated_ransackable_list(:ransackable_associations) end # Ransortable_attributes, by default, returns the names # of all attributes available for sorting as an array of strings. # For overriding with a whitelist array of strings. # def ransortable_attributes(auth_object = nil) ransackable_attributes(auth_object) end # Ransackable_scopes, by default, returns an empty array # i.e. no class methods/scopes are authorized. # For overriding with a whitelist array of *symbols*. # def ransackable_scopes(auth_object = nil) [] end # ransack_scope_skip_sanitize_args, by default, returns an empty array. # i.e. use the sanitize_scope_args setting to determine if args should be converted. # For overriding with a list of scopes which should be passed the args as-is. # def ransackable_scopes_skip_sanitize_args [] end # Bare list of all potentially searchable attributes. Searchable attributes # need to be explicitly allowlisted through the `ransackable_attributes` # method in each model, but if you're allowing almost everything to be # searched, this list can be used as a base for exclusions. # def authorizable_ransackable_attributes if Ransack::SUPPORTS_ATTRIBUTE_ALIAS column_names + _ransackers.keys + _ransack_aliases.keys + attribute_aliases.keys else column_names + _ransackers.keys + _ransack_aliases.keys end.uniq end # Bare list of all potentially searchable associations. Searchable # associations need to be explicitly allowlisted through the # `ransackable_associations` method in each model, but if you're # allowing almost everything to be searched, this list can be used as a # base for exclusions. # def authorizable_ransackable_associations reflect_on_all_associations.map { |a| a.name.to_s } end private def deprecated_ransackable_list(method) list_type = method.to_s.delete_prefix("ransackable_") if explicitly_defined?(method) warn_deprecated <<~ERROR Ransack's builtin `#{method}` method is deprecated and will result in an error in the future. If you want to authorize the full list of searchable #{list_type} for this model, use `authorizable_#{method}` instead of delegating to `super`. ERROR public_send("authorizable_#{method}") else raise <<~MESSAGE Ransack needs #{name} #{list_type} explicitly allowlisted as searchable. Define a `#{method}` class method in your `#{name}` model, watching out for items you DON'T want searchable (for example, `encrypted_password`, `password_reset_token`, `owner` or other sensitive information). You can use the following as a base: ```ruby class #{name} < ApplicationRecord # ... def self.#{method}(auth_object = nil) #{public_send("authorizable_#{method}").sort.inspect} end # ... end ``` MESSAGE end end def explicitly_defined?(method) definer_ancestor = singleton_class.ancestors.find do |ancestor| ancestor.instance_methods(false).include?(method) end definer_ancestor != Ransack::Adapters::ActiveRecord::Base end def warn_deprecated(message) caller_location = caller_locations.find { |location| !location.path.start_with?(File.expand_path("../..", __dir__)) } warn "DEPRECATION WARNING: #{message.squish} (called at #{caller_location.path}:#{caller_location.lineno})" end end end end end