Quoted all table names in hand-crafted queries

api/download.go

@@ -103,8 +103,8 @@ func (a *API) DownloadList(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	orderTable := models.Order{}.TableName()
-	downloadsTable := models.Download{}.TableName()
+	orderTable := a.db.NewScope(models.Order{}).QuotedTableName()
+	downloadsTable := a.db.NewScope(models.Download{}).QuotedTableName()
 
 	query := a.db.Joins("join " + orderTable + " as orders ON " + downloadsTable + ".order_id = orders.id and orders.payment_state = 'paid'")
 	if order != nil {
@@ -119,7 +119,6 @@ func (a *API) DownloadList(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	var downloads []models.Download
-	query.LogMode(true)
 	if result := query.Offset(offset).Limit(limit).Find(&downloads); result.Error != nil {
 		return internalServerError("Error during database query").WithInternalError(err)
 	}

api/download_test.go

@@ -0,0 +1,21 @@
+package api
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/netlify/gocommerce/models"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDownloadList(t *testing.T) {
+	t.Run("UserList", func(t *testing.T) {
+		test := NewRouteTest(t)
+		token := test.Data.testUserToken
+		recorder := test.TestEndpoint(http.MethodGet, "/downloads", nil, token)
+
+		downloads := []models.Download{}
+		extractPayload(t, http.StatusOK, recorder, &downloads)
+		assert.Len(t, downloads, 1)
+	})
+}

api/params.go

@@ -26,7 +26,7 @@ var sortFields = map[string]string{
 }
 
 func parsePaymentQueryParams(query *gorm.DB, params url.Values) (*gorm.DB, error) {
-	query = addFilters(query, models.Transaction{}.TableName(), params, []string{
+	query = addFilters(query, query.NewScope(models.Transaction{}).QuotedTableName(), params, []string{
 		"processor_id",
 		"user_id",
 		"order_id",
@@ -52,11 +52,11 @@ func parsePaymentQueryParams(query *gorm.DB, params url.Values) (*gorm.DB, error
 }
 
 func parseUserQueryParams(query *gorm.DB, params url.Values) (*gorm.DB, error) {
-	query = addFilters(query, models.User{}.TableName(), params, []string{
+	query = addFilters(query, query.NewScope(models.User{}).QuotedTableName(), params, []string{
 		"id",
 	})
 
-	query = addLikeFilters(query, models.User{}.TableName(), params, []string{
+	query = addLikeFilters(query, query.NewScope(models.User{}).QuotedTableName(), params, []string{
 		"email",
 	})
 
@@ -81,16 +81,16 @@ func parseOrderParams(query *gorm.DB, params url.Values) (*gorm.DB, error) {
 	}
 
 	if billingCountries := params.Get("billing_countries"); billingCountries != "" {
-		addressTable := models.Address{}.TableName()
-		orderTable := models.Order{}.TableName()
+		addressTable := query.NewScope(models.Address{}).QuotedTableName()
+		orderTable := query.NewScope(models.Order{}).QuotedTableName()
 		statement := "JOIN " + addressTable + " as billing_address on billing_address.id = " +
 			orderTable + ".billing_address_id AND " + "billing_address.country in (?)"
 		query = query.Joins(statement, strings.Split(billingCountries, ","))
 	}
 
 	if shippingCountries := params.Get("shipping_countries"); shippingCountries != "" {
-		addressTable := models.Address{}.TableName()
-		orderTable := models.Order{}.TableName()
+		addressTable := query.NewScope(models.Address{}).QuotedTableName()
+		orderTable := query.NewScope(models.Order{}).QuotedTableName()
 		statement := "JOIN " + addressTable + " as shipping_address on shipping_address.id = " +
 			orderTable + ".shipping_address_id AND " + "shipping_address.country in (?)"
 		query = query.Joins(statement, strings.Split(shippingCountries, ","))
@@ -121,12 +121,12 @@ func parseOrderParams(query *gorm.DB, params url.Values) (*gorm.DB, error) {
 	}
 
 	if email := params.Get("email"); email != "" {
-		query = query.Where(models.Order{}.TableName()+".email LIKE ?", "%"+email+"%")
+		query = query.Where(query.NewScope(models.Order{}).QuotedTableName()+".email LIKE ?", "%"+email+"%")
 	}
 
 	if items := params.Get("items"); items != "" {
-		lineItemTable := models.LineItem{}.TableName()
-		orderTable := models.Order{}.TableName()
+		lineItemTable := query.NewScope(models.LineItem{}).QuotedTableName()
+		orderTable := query.NewScope(models.Order{}).QuotedTableName()
 		statement := "JOIN " + lineItemTable + " as line_item on line_item.order_id = " +
 			orderTable + ".id AND line_item.title LIKE ?"
 		query = query.Joins(statement, "%"+items+"%")

api/reports.go

@@ -53,8 +53,8 @@ func (a *API) SalesReport(w http.ResponseWriter, r *http.Request) error {
 
 // ProductsReport list the products sold within a period
 func (a *API) ProductsReport(w http.ResponseWriter, r *http.Request) error {
-	ordersTable := models.Order{}.TableName()
-	itemsTable := models.LineItem{}.TableName()
+	ordersTable := a.db.NewScope(models.Order{}).QuotedTableName()
+	itemsTable := a.db.NewScope(models.LineItem{}).QuotedTableName()
 	query := a.db.
 		Model(&models.LineItem{}).
 		Select("sku, path, sum(quantity * price) as total, currency").

api/user.go

@@ -43,8 +43,8 @@ func (a *API) UserList(w http.ResponseWriter, r *http.Request) error {
 	log.Debug("Parsed url params")
 
 	var users []models.User
-	orderTable := models.Order{}.TableName()
-	userTable := models.User{}.TableName()
+	orderTable := a.db.NewScope(models.Order{}).QuotedTableName()
+	userTable := a.db.NewScope(models.User{}).QuotedTableName()
 	query = query.
 		Joins("LEFT JOIN " + orderTable + " as orders ON " + userTable + ".id = orders.user_id").
 		Select(userTable + ".id, " + userTable + ".email, " + userTable + ".created_at, " + userTable + ".updated_at, count(orders.id) as order_count").

api/utils_test.go

@@ -164,8 +164,15 @@ func setupTestData() *TestData {
 		Path:        "/i/believe/i/can/fly",
 	}
 
+	firstDownload := models.Download{
+		Title: firstLineItem.Title,
+		Sku:   firstLineItem.Sku,
+		ID:    "first-download",
+	}
+
 	firstOrder.ID = "first-order"
 	firstOrder.LineItems = []*models.LineItem{firstLineItem}
+	firstOrder.Downloads = []models.Download{firstDownload}
 	firstOrder.CalculateTotal(&calculator.Settings{}, nil)
 	firstOrder.BillingAddress = testAddress
 	firstOrder.ShippingAddress = testAddress

models/hook.go

@@ -136,7 +136,7 @@ func RunHooks(db *gorm.DB, log *logrus.Entry) {
 	go func() {
 		id := uuid.NewRandom().String()
 		sem := make(chan bool, maxConcurrentHooks)
-		table := Hook{}.TableName()
+		table := db.NewScope(Hook{}).QuotedTableName()
 		client := &http.Client{}
 		for {
 			hooks := []*Hook{}