New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
order Supports Postgres JSON operators #43020
order Supports Postgres JSON operators #43020
Conversation
5cc29ba
to
14389ff
Compare
Hi @ChaelCodes, |
f1de9ac
to
4ef046a
Compare
@p8 Added a Changelog entry! There was a misspelling in the changelog previously, so I fixed that so CI would pass. |
@ChaelCodes great! |
c028557
to
4824f4e
Compare
Hi, @ChaelCodes I've seen you are doing contributions here, will be great if you can do it in streaming. I'd love to do it too. but it's hard to get to a point where start. |
Hi @JuanVqz, I streamed working on this PR on Sunday. I try to maintain only one PR on busy repos like Rails, and respond quickly to review feedback. This means that I work on a Rails PR every couple of months, and rarely share the feedback and review process, but I do share their initial build-out. |
Previously, any JSON operator would return the error `ActiveRecord::UnknownAttributeReference`. This error is intended to protect against SQL injection. It requires the developer to wrap the query in `Arel.sql` to avoid the error. Referencing a JSON column should be treated the same as referencing a string column. This commit only allows `->>` to be used in order.
4824f4e
to
2874d02
Compare
@ChaelCodes Also getting this error It seems like if there is any function that takes multiple arguments in the order-by string clause, it fails with this error. Not sure if your PR addresses this case or not? Wanted to point it out. Ideally it would be great to be able to do:
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Summary
closes #43014
Today, when Postgres JSON operators are used, they are treated as potentially user input, and filtered out to protect against SQL injection attacks. There is a regex pattern that is used to check if the string is a column, or function wrapping a column. This regex is already separated into the postgres adapter.
This PR adds one operator (->> column_name) so that order works more like where clauses do.
There's also documentation added to the JSON guide about ordering using JSON operators
Other Information
Postgres supports 3 different JSON operators, but we only support one. Here's why.