You can clone with
HTTPS or Subversion.
How can I be protected from queries that are different from those defined in the form
For example, this is the generated get request from the form
But i can change manualy this to something like this
The ransack returns in this case unpublished articles, and we dont want this
See https://github.com/ernie/ransack/blob/master/lib/ransack/adapters/active_record/base.rb -- I didn't get around to documenting this functionality, but using standard OO techniques, you can define a class method called ransackable_attributes or ransackable_associations that takes a single, optional parameter, and then perform any logic you like inside it. I'd recommend modifying the result of super. This will be used to limit the available attributes or associations for search: https://github.com/ernie/ransack/blob/master/lib/ransack/context.rb#L109
You can set the auth_object on the search context as well, by passing an :auth_object key in the options to the search method. For the life of me I don't know what I was smoking when I made that an accessor instead of something set in the context initializer.
I've also done a quick blog post about it at http://erniemiller.org/2012/05/11/why-your-ruby-class-macros-might-suck-mine-did/
Now addressed in the Ransack README and wiki, so we can close this