How to be protected from unwanted search queries #96

mikezaby opened this Issue May 11, 2012 · 3 comments


None yet
3 participants

How can I be protected from queries that are different from those defined in the form

For example, this is the generated get request from the form

But i can change manualy this to something like this

The ransack returns in this case unpublished articles, and we dont want this


ernie commented May 11, 2012

See -- I didn't get around to documenting this functionality, but using standard OO techniques, you can define a class method called ransackable_attributes or ransackable_associations that takes a single, optional parameter, and then perform any logic you like inside it. I'd recommend modifying the result of super. This will be used to limit the available attributes or associations for search:

You can set the auth_object on the search context as well, by passing an :auth_object key in the options to the search method. For the life of me I don't know what I was smoking when I made that an accessor instead of something set in the context initializer.


jonatack commented Aug 29, 2014

Now addressed in the Ransack README and wiki, so we can close this 😃

jonatack closed this Aug 29, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment