Permalink
Browse files

fixed has_many :conditions sanitizing (closes #4278) [hakuja@hakuja.net]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3935 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent b212215 commit 50103b86e6f5e6aa82448d6bfdafeac34e0c8caa @technoweenie technoweenie committed Mar 18, 2006
@@ -1244,7 +1244,7 @@ def association_join
case
when reflection.macro == :has_many && reflection.options[:through]
through_reflection = parent.active_record.reflect_on_association(reflection.options[:through])
- through_conditions = through_reflection.options[:conditions] ? "AND #{eval("%(#{through_reflection.options[:conditions]})")}" : ''
+ through_conditions = through_reflection.options[:conditions] ? "AND #{eval("%(#{through_reflection.active_record.send :sanitize_sql, through_reflection.options[:conditions]})")}" : ''
if through_reflection.options[:as] # has_many :through against a polymorphic join
polymorphic_foreign_key = through_reflection.options[:as].to_s + '_id'
polymorphic_foreign_type = through_reflection.options[:as].to_s + '_type'
@@ -1296,7 +1296,7 @@ def association_join
aliased_table_name,
reflection.active_record.connection.quote_column_name(reflection.active_record.inheritance_column),
klass.quote(klass.name)] if sti?
- join << "AND #{eval("%(#{reflection.options[:conditions]})")} " if reflection.options[:conditions]
+ join << "AND #{eval("%(#{reflection.active_record.send :sanitize_sql, reflection.options[:conditions]})")} " if reflection.options[:conditions]
join
end
@@ -27,7 +27,7 @@ def aliased_table_name
end
def conditions
- @conditions ||= eval("%(#{@reflection.options[:conditions]})") if @reflection.options[:conditions]
+ @conditions ||= eval("%(#{@reflection.active_record.send :sanitize_sql, @reflection.options[:conditions]})") if @reflection.options[:conditions]
end
alias :sql_conditions :conditions
@@ -42,7 +42,7 @@ class Client < Company
belongs_to :firm, :foreign_key => "client_of"
belongs_to :firm_with_basic_id, :class_name => "Firm", :foreign_key => "firm_id"
belongs_to :firm_with_other_name, :class_name => "Firm", :foreign_key => "client_of"
- belongs_to :firm_with_condition, :class_name => "Firm", :foreign_key => "client_of", :conditions => "1 = 1"
+ belongs_to :firm_with_condition, :class_name => "Firm", :foreign_key => "client_of", :conditions => ["1 = ?", 1]
# Record destruction so we can test whether firm.clients.clear has
# is calling client.destroy, deleting from the database, or setting

0 comments on commit 50103b8

Please sign in to comment.