I'm implementing a search method in a controller, and I keep getting this error:
ActiveModel::ForbiddenAttributesError in TripsController#search
Extracted source (around line #22):
The offending line is within the following block:
if params[:search].present?
#trips = Trip.where("destination LIKE :destination", {:destination=> "%#{params[:search].first}%"}).where(#filters)
else
#trips = (Trip.where(#filters)) rescue (Trip.where(#filters).paginate(:page => params[:page], :per_page => 10))
end
Below is the full method code:
def search
#languages = Trip.pluck(:language).uniq
#interests = Trip.pluck(:interests).uniq
#destinations = Trip.pluck(:destination).uniq
#filters = params.slice(:language,:interests)
#search_param = params[:search].first rescue nil
#language_param = params[:language]
#intersts_param = params[:interests]
if params[:search].present?
#trips = Trip.where("destination LIKE :destination", {:destination=> "%#{params[:search].first}%"}).where(#filters)
else
#trips = (Trip.where(#filters)) rescue (Trip.where(#filters).paginate(:page => params[:page], :per_page => 10))
end
end
You need to use the Rails strong parameters.
Even if you are not using the parameters to to create a model Rails will raise an exception if you use params.slice and pass the result to a query.
This is due of the pretty pro-active approach that came with Rails 4 to avoid mass-assignment vulnerabilities.
def search
#languages = Trip.pluck(:language).uniq
#interests = Trip.pluck(:interests).uniq
#destinations = Trip.pluck(:destination).uniq
#filters = params.permit(:language,:interests)
#search_param = params.permit(search: [])
#language_param = #filters[:language]
#intersts_param = #filters[:interests]
if params[:search].present?
# you don't need named placeholders for a single parameter...
#trips = Trip.where("destination LIKE ?", params[:search].first)
.where(#filters)
else
#trips = (Trip.where(#filters)) rescue (Trip.where(#filters).paginate(:page => params[:page], :per_page => 10))
end
end
However in .where(#filters) you are breaking a cardinal rule and passing user input straight into a SQL query.
Instead you should use something like this:
Trip.where(language: #filters[:language])
This will create a "WHERE trips.language = ?" query with a placeholder which removes the SQL injection vulnerability.
Related
In a rails 4.1 application I need to add an object to an "AssociationRelation"
def index
employee = Employee.where(id_person: params[:id_person]).take
receipts_t = employee.receipts.where(:consent => true) #gives 3 results
receipts_n = employee.receipts.where(:consent => nil).limit(1) #gives 1 result
#I would need to add the null consent query result to the true consent results
#something similar to this and the result is still an association relation
#receipts = receipts_t + receipts_n
end
Is there a simple way to do this?
A way of solving this:
def index
employee_receipts = Employee.find_by(id_person: params[:id_person]).receipts
receipts_t = employee_receipts.where(consent: true)
receipts_n = employee_receipts.where(consent: nil).limit(1)
#receipts = Receipt.where(id: receipts_t.ids + receipts_n.ids)
end
Unfortunately .or() can't be used here because it's only available from Rails v5.0.0.1
you could do this way
receipts_t_ids = employee.receipts.where(:consent => true).pluck(:id)
receipts_n_ids = employee.receipts.where(:consent => nil).limit(1).pluck(:id)
#receipts = Receipt.where(id: receipts_t_ids + receipts_n_ids)
To avoid extra queries and keeping arrays in memory, you can use or
Like this:
def index
employee_receipts = Employee.find_by(id_person: params[:id_person]).receipts
#receipts =
employee_receipts.where(consent: true).or(
employee_receipts.where(consent: nil).limit(1)
)
end
I'm trying to retrieve from the database two contents: the first one with the field source equal to "imported" (which means that we import it from the excel spreadsheet), and the second one with source != imported (we create it from scratch). Attached is my code:
def index
add_breadcrumb 'Projects', projects_path
add_breadcrumb #project.name, #project
add_breadcrumb "List #{#category.display_name} Content", project_category_contents_path(#project, #category)
#contents_imported = Content.of_project(#project).with_category(#category).imported.order('contents.created_at asc')
#contents_not_imported = Content.of_project(#project).with_category(#category).not_imported.order('contents.created_at desc')
#page = params[:page]
#contents = #contents_not_imported << #contents_imported
#q = #contents.search(params[:q])
#content = #q.result(distinct: true).page(#page).per(20)
end
#contents_imported = Content.of_project(#project).with_category(#category).imported.order('contents.created_at asc')
#contents_not_imported = Content.of_project(#project).with_category(#category).not_imported.order('contents.created_at desc')
And I want to combine the two results before showing it:
#contents = #contents_not_imported << #contents_imported
but it didn't work. How can I do that?
If both of them are arrays and are having same type of objects you can do Result = Arr1 | Arr1
That also removes the duplicates. Its like boolean UNION. In your case #contents = #contents_not_imported | #contents_imported
The problem is that you want to concatenate results, but you also want to continue treating the combined results as an ActiveRelation (call .search on it). Here's a simpler approach that avoids the need for concatenation in the first place. You will need a more complex ORDER BY clause to accomplish this, however:
#page = params[:page]
#contents = Content.of_project(#project).with_category(#category).
order('CASE WHEN source <> "imported" THEN contents.created_at END desc, CASE WHEN source = "imported" THEN contents.created_at END asc')
#q = #contents.search(params[:q])
Concatenating the arrays is done with the plus sign
You are getting undefined method search for Array because, concatenating will return you an array. And you can't call search method on that Array
EDIT
def index
add_breadcrumb 'Projects', projects_path
add_breadcrumb #project.name, #project
add_breadcrumb "List #{#category.display_name} Content", project_category_contents_path(#project, #category)
contents_imported_ids = Content.of_project(#project).with_category(#category).imported.order('contents.created_at asc').map(&:id)
contents_not_imported_ids = Content.of_project(#project).with_category(#category).not_imported.order('contents.created_at desc').map(&:id)
#page = params[:page]
contents_ids = contents_imported_ids + contents_not_imported_ids
contents = Content.where(content_ids)
#contents = content_ids.collect{|id| contents.detect{|c| c.id == id}}
#q = #contents.search(params[:q])
#content = #q.result(distinct: true).page(#page).per(20)
end
Just create a new Relation with the conditions of imported or not imported, after that, order all the records (if order is important to #contents and #content):
def index
add_breadcrumb 'Projects', projects_path
add_breadcrumb #project.name, #project
add_breadcrumb "List #{#category.display_name} Content", project_category_contents_path(#project, #category)
#contents_imported = Content.of_project(#project).with_category(#category).imported.order('contents.created_at asc')
#contents_not_imported = Content.of_project(#project).with_category(#category).not_imported.order('contents.created_at desc')
#page = params[:page]
imported = #contents_imported.where_values.reduce(:and)
not_imported = #contents_not_imported.where_values.reduce(:and)
#contents = Content.where(imported.or(not_ipmorted)).order('CASE contents.imported WHEN true THEN contents.created_at asc ELSE contents.created_at desc END')
#q = #contents.search(params[:q])
#content = #q.result(distinct: true).page(#page).per(20)
end
Now you can call Ransack#search on #contents because it is an ActiveRecord::Relation. I assume that the imported scope take a field contents.imported with value true.
If I wrote this without errors, this must works.
I have the following controller method
def app_used_by_Lab
per_id = params[:id]
#search1 = Apparatus.used_by_specific_lab(per_id).search(params[:search]) # both 'used_by_specific_lab' & 'lab_created' are named_scopes which return results from the same table
#search2 = Apparatus.lab_created(per_id).search(params[:search])
#search = #search2 + #search1
#search.order ||= :descend_by_RPR_DATE_CREATED
#apparatuses = #search.paginate(:page => params[:page], :per_page => 10)
end
If I change the code to '#search = #search1', it works fine and return me the results but when I do '#search = #search2 + #search1', I get the error message below:
TypeError in ApparatusesController#app_used_by_Lab
can't convert Searchlogic::Search into Array
Is it not possible to use searchlogic on arrays?
Is there any solution to the above problem?
Thanks a lot for your precious help.
Please Try this:
#search = #search2.to_s + #search1.to_s
try this:
#search = #search2.concat(#search1)
I have such part of "ghost look like" code (but it so must be, as db is huge and have many tables):
def search_group
#search_trees = SearchTree.all
#designation = Designation.find(:all, :conditions => { :DES_ID => #search_trees.map(&:STR_DES_ID)})
#text = DesText.find(:all, :conditions => { :TEX_ID => #designation.map(&:DES_TEX_ID)})
#search_result = #text.find_all{|item| item.TEX_TEXT.include?(params[:search_group_text])}
#designation_back = #designation.find_all{|item| item.DES_TEX_ID == #search_result.TEX_ID}
#search_trees_back = #search_trees.find_all{|item| item.STR_DES_ID == #designation_back.DES_ID}
respond_to do |format|
format.html
end
end
I try to compare
#designation_back = #designation.find_all{|item| item.DES_TEX_ID == #search_result.TEX_ID}
but i get errors, something bad...undefined method `TEX_ID'. As i think, it's via i compare hash and hash in bad way... How can i do this?
#search_result = #text.find_all{|item| item.TEX_TEXT.include?(params[:search_group_text])}
#designation_back = #designation.find_all{|item| item.DES_TEX_ID == #search_result.TEX_ID}
it's because #search_result is an array and not an object where you can call that method on.
#search_results is an array. If you know it is returning just one result, you can do #search_results[0].Tex_Id, otherwise have to loop through for each value of #search_results.
try 'pry' gem to debug what results you are getting from each assignment.
I am working on an events application where i want to filter events depending on the 3 parameters location or starts_at or ends_at in the query string. There can be any one, two or all the parameters in the query string. In i use if-else statement i need to make 6 cases which will make my code clumsy. Rather i am thinking to implement something this way:
class EventsController < ApplicationController
def index
unless params.empty?
unless params[:location].nil?
#events = Event.where("location = ?", params[:location])
end
unless params[:starts_at].nil?
unless #events.empty?
#events = #events.where("start_date = ?", params[:start_date])
else
#events = Event.where("Date(starts_at) = Date(?)", params[:starts_at])
end
end
unless params[:ends_at].nil?
unless #events.empty?
#events = #events.where("end_date = ?", params[:end_date])
else
#events = Event.where("Date(ends_at) = Date(?)", params[:ends_at])
end
end
end
end
end
But this code doesnt work since where query doen not work on an array. Can someone suggest me some solution for this..
You should be able to pass your params hash directly to where, and it will form the correct SQL based on the keys and values of that hash:
Event.where(params)
An example in the console:
1.9.3p194 :001 > puts Example.where(:location => 'here', :started_at => '2012-08-13').to_sql
SELECT "examples".* FROM "examples" WHERE "examples"."location" = 'here' AND "examples"."started_at" = '2012-08-13'
Try Following
def index
unless params.empty?
where_array, arr = [], []
if params[:location]
where_array << "location = ?"
arr << params[:location]
end
if params[:starts_at]
where_array << "start_date = ?"
arr << params[:starts_at]
end
if params[:ends_at]
where_array << "end_date = ?"
arr << params[:ends_at]
end
#events = arr.blank? ? [] : Event.where([where_array.join(" AND "), *arr])
end
end