Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

How to be protected from unwanted search queries #96

Closed
mikezaby opened this Issue · 3 comments

3 participants

@mikezaby

How can I be protected from queries that are different from those defined in the form

For example, this is the generated get request from the form
&q%5Btitle_or_html_cont%5D=somthing

But i can change manualy this to something like this
&q%5Bpubliched_eq%5D=false

The ransack returns in this case unpublished articles, and we dont want this

@ernie
Owner

See https://github.com/ernie/ransack/blob/master/lib/ransack/adapters/active_record/base.rb -- I didn't get around to documenting this functionality, but using standard OO techniques, you can define a class method called ransackable_attributes or ransackable_associations that takes a single, optional parameter, and then perform any logic you like inside it. I'd recommend modifying the result of super. This will be used to limit the available attributes or associations for search: https://github.com/ernie/ransack/blob/master/lib/ransack/context.rb#L109

You can set the auth_object on the search context as well, by passing an :auth_object key in the options to the search method. For the life of me I don't know what I was smoking when I made that an accessor instead of something set in the context initializer.

@jonatack
Owner

Now addressed in the Ransack README and wiki, so we can close this :smiley:

@jonatack jonatack closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.