There are Answers how to retrieve a full list of Tables
My problem is more specific, as I want to retrieve a list of tables a specific user is able to perform a certain operation on (eg Select)
With information from Informix Doc - SYSTABAUTH
I am using the following query
SELECT TAB.TABNAME
FROM
SYSTABLES TAB,
(
SELECT TABID
FROM SYSTABAUTH
WHERE
GRANTEE = CURRENT_USER AND
UPPER(TABAUTH) LIKE 'S%'
) AUTH
WHERE TAB.TABID = AUTH.TABID
By upper-ing the case I cover both options:
lowercase: grantee is able to perform action
uppercase: grantee is able to grant action to others
The query checks specifically for select privileges, the Informix Docs specify further privileges as well as columnar privileges
Related
(See example schema image below)
I am attempting to query a single user from the users table using the email field, along with the id & key fields from the applications table. The results should contain the user found (if any), along with the application (referenced using the key & id fields) and the applications_users associated data.
I can easily write SQL manually to perform this operation:
SELECT
"users".*,
"applications_users"."scopes",
"jwt_applications".*
FROM
"users"
INNER JOIN
"applications_users" ON "applications_users"."user_id" = "users"."id"
INNER JOIN
"jwt_applications" ON "jwt_applications"."id" = "applications_users"."application_id"
WHERE
"users"."email" = 'rainbows#unicorns.net'
AND "jwt_applications"."id" = '01daafc9-2169-4c78-83e9-37ac0a473e3d'
AND "jwt_applications"."key" = 'follow_the_rainbow'
LIMIT 1
However, I cannot for the life of me get the query correct when using ActiveRecord.
These are the unsuccessful attempts I have made thus far:
user = User.where(email: args[:username]).joins(:applications).merge(
JwtApplication.where(id: args[:application][:id], key: args[:application][:key])
).take!
This gets the user correctly, however Rails performs a second SQL query when I attempt to access user.applications (and it also returns all applications associated with the user; so it appears to disregard the id & key conditions)
user = User.where(email: args[:username]).joins(:applications).merge(
JwtApplication.where(id: args[:application][:id], key: args[:application][:key])
).references(:applications_users).take!
This gets the user correctly and also the correct application (yay!), however Rails performs a second SQL query if I attempt to call user.applications_users -- it also returns a collection for all data inside the applications_users table (again, disregarding the id & key conditions)
user = User.where(email: args[:username]).joins(:applications).where(
jwt_applications: {
id: args[:application][:id],
key: args[:application][:key]
}
).take!
This gets the correct user, however Rails performs another SQL query when I attempt to access user.applications -- also returning all applications.
Anyway, hopefully a Rails genius can shed some light on this question! I will be the first to admit that I am by no means a Rails expert; I have spent the last 10 years of my professional career coding in PHP & C++, so please bear with me if this comes off as a stupid question :)
Not sure if this is something you're looking for but...
You can write ActiveRecord query like (join model should be implicitly added to your query):
User.joins(:applications).where(email: email).where(applications: { key: key, id: id})
Where email, key and id as params to pass to the query.
On top of that query you can use select fields to get everything you need:
user = User.joins(:applications).where(email: email).where(applications: { key: key, id: id}).select('users.*, applications.id as appid applications.key as appkey').first
That will give you back the user model (if present) or empty relation if nothing matches your criteria.
You can then call the fields like
user.appid
user.appkey
You can always call select ('users.*, application_users.scopes, applications.*) which will return you all the fields in single instance (still under User model) BUT duplicate fields like id will only be shown once, that's why it's better to grab just the fields you want and give them unique identifiers like I've shown with appid and appkey.
Again, might not be exactly what you're after, but hopefully it points you in the right direction!
I have the following ruby On Rails code:
#The user can only ask for a subset of the following columns:
authorized_fields= ["id","created_at","updated_at"]
#The user sends the requested columns as a comma separated string in the fields param
fields = (params[:fields].split(',') & authorized_fields).join(",");
#Build the query to be run:
sql = "SELECT json_agg(u) FROM (SELECT #{fields} FROM table_name) u"
#Run the query against the database
ModelName.connection.select_value(sql)
My question is, is this query SQL Injection safe? My understanding is that since I limit the available fields, so it protects me from injections.
Am I correct? Can someone give me an example of a fields parameter sent by the user which will not be safe?
You may use ActiveRecord::Base.connection.quote_column_name. Code should be like this:
input_fields = params[:fields].split(',').collect do |field|
ActiveRecord::Base.connection.quote_column_name(field)
end
Is there any way to get the sql for a single condition or chain of conditions so Booking.where(active: true).to_conditional_sql would return WHERE bookings.active='t' instead of SELECT * FROM bookings WHERE bookings.active='t'
I think you want Scopes:
You can find more about scopes here:
http://guides.rubyonrails.org/active_record_querying.html#scopes
I am implementing search functionality in rails. When i search for users, the logged in user who is searching also comes in search. I want to avoid it.
This is in my search_method in controller
#matchedUsers = InUser.where("first_name like ?", "%#{params[:searchfnameInput]}%")
And i have user id in session[:user_id]. I want to exclude the record having id==session[:user_id] from #matchedUsers?
Thanks and Regards
Add another where clause to your query:
#matchedUsers = InUser.where("id<>?", current_user.id).where("first_name like ?", "%#{params[:searchfnameInput]}%")
The "id<>?" says "exclude the user with this ID".
I need to select the second entry in the User model.
User.second does not work, nor does User.2 or User.two.
I'm trying to set u to the second User entry (u = User.2)
The following should work:
User.all.second
User.offset(1).first
# Assuming you are using incremental keys and have users with ID's 1 and 2:
User.find(2)