Mark safe SQL with Arel.sql

Rails 5.2 is raising a warning in some places: DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s). Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). IMHO this warning is simply wrong, since we're using known PostgreSQL functions like LOWER() or RANDOM(). AFAIK this code works without warnings in Rails 6.0 [1][2] However, since the warning is annoying, we need to take measures so our logs are clean. [1] https://github.com/rails/rails/commit/6c82b6c99d [2] https://github.com/rails/rails/commit/64d8c54e16
2020-05-17 21:10:09 +02:00
parent 2d9f679105
commit 16c16e3cdf
5 changed files with 6 additions and 6 deletions
--- a/app/models/poll/question.rb
+++ b/app/models/poll/question.rb
@@ -28,7 +28,7 @@ class Poll::Question < ApplicationRecord

  scope :by_poll_id,    ->(poll_id) { where(poll_id: poll_id) }

-  scope :sort_for_list, -> { order("poll_questions.proposal_id IS NULL", :created_at) }
+  scope :sort_for_list, -> { order(Arel.sql("poll_questions.proposal_id IS NULL"), :created_at) }
  scope :for_render,    -> { includes(:author, :proposal) }

  def self.search(params)