-
Notifications
You must be signed in to change notification settings - Fork 118
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use
Arel.sql
to wrap a known safe SQL string in PermissionsService
To protect against injection attacks, `#pluck` has deprecated raw SQL strings in Rails 5.2. We could use `pluck(:source_id).uniq` here. This would be less efficient in some cases. I didn't have the time to look into whether those cases are likely to arise, so we simply mark the SQL string as safe by wrapping it with `Arel.sql()`.
- Loading branch information
Tom Johnson
committed
Jul 16, 2019
1 parent
7a83daa
commit 9ab079c
Showing
3 changed files
with
7 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters