How to be protected from unwanted search queries #96

Closed
mikezaby opened this Issue May 11, 2012 · 3 comments

Comments

Projects
None yet
3 participants

How can I be protected from queries that are different from those defined in the form

For example, this is the generated get request from the form
&q%5Btitle_or_html_cont%5D=somthing

But i can change manualy this to something like this
&q%5Bpubliched_eq%5D=false

The ransack returns in this case unpublished articles, and we dont want this

Owner

ernie commented May 11, 2012

See https://github.com/ernie/ransack/blob/master/lib/ransack/adapters/active_record/base.rb -- I didn't get around to documenting this functionality, but using standard OO techniques, you can define a class method called ransackable_attributes or ransackable_associations that takes a single, optional parameter, and then perform any logic you like inside it. I'd recommend modifying the result of super. This will be used to limit the available attributes or associations for search: https://github.com/ernie/ransack/blob/master/lib/ransack/context.rb#L109

You can set the auth_object on the search context as well, by passing an :auth_object key in the options to the search method. For the life of me I don't know what I was smoking when I made that an accessor instead of something set in the context initializer.

Member

jonatack commented Aug 29, 2014

Now addressed in the Ransack README and wiki, so we can close this 😃

jonatack closed this Aug 29, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment