consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ec7ed5496fce6d23ec05f819d51a55a12e5ca467
nairobi/app/controllers/legislation/annotations_controller.rb
Javi Martín 16c16e3cdf Mark safe SQL with Arel.sql 
Rails 5.2 is raising a warning in some places:

DEPRECATION WARNING: Dangerous query method (method whose arguments are
used as raw SQL) called with non-attribute argument(s). Non-attribute
arguments will be disallowed in Rails 6.0. This method should not be
called with user-provided values, such as request parameters or model
attributes. Known-safe values can be passed by wrapping them in
Arel.sql().

IMHO this warning is simply wrong, since we're using known PostgreSQL
functions like LOWER() or RANDOM(). AFAIK this code works without warnings
in Rails 6.0 [1][2]

However, since the warning is annoying, we need to take measures so our
logs are clean.

[1] https://github.com/rails/rails/commit/6c82b6c99d
[2] https://github.com/rails/rails/commit/64d8c54e16
2020-10-15 14:57:42 +02:00

115 lines
3.5 KiB
Ruby
Raw Blame History

class Legislation::AnnotationsController < Legislation::BaseController
skip_before_action :verify_authenticity_token
before_action :authenticate_user!, only: [:create, :new_comment]
before_action :convert_ranges_parameters, only: [:create]
load_and_authorize_resource :process
load_and_authorize_resource :draft_version, through: :process
load_and_authorize_resource
has_orders %w[most_voted newest oldest], only: :show
def index
@annotations = @draft_version.annotations
end
def show
@commentable = @annotation
if params[:sub_annotation_ids].present?
@sub_annotations = Legislation::Annotation.where(id: params[:sub_annotation_ids].split(","))
annotations = [@commentable, @sub_annotations]
else
annotations = [@commentable]
end
@comment_tree = MergedCommentTree.new(annotations, params[:page], @current_order)
set_comment_flags(@comment_tree.comments)
end
def create
if !@process.allegations_phase.open? || @draft_version.final_version?
render(json: {}, status: :not_found) && return
end
existing_annotation = @draft_version.annotations.find_by(
range_start: annotation_params[:ranges].first[:start],
range_start_offset: annotation_params[:ranges].first[:startOffset].to_i,
range_end: annotation_params[:ranges].first[:end],
range_end_offset: annotation_params[:ranges].first[:endOffset].to_i
)
@annotation = existing_annotation
if @annotation.present?
comment = @annotation.comments.build(body: annotation_params[:text], user: current_user)
if comment.save
render json: @annotation.to_json
else
render json: comment.errors.full_messages, status: :unprocessable_entity
end
else
@annotation = @draft_version.annotations.new(annotation_params)
@annotation.author = current_user
if @annotation.save
track_event
render json: @annotation.to_json
else
render json: @annotation.errors.full_messages, status: :unprocessable_entity
end
end
end
def search
@annotations = @draft_version.annotations.order(Arel.sql("LENGTH(quote) DESC"))
annotations_hash = { total: @annotations.size, rows: @annotations }
render json: annotations_hash.to_json(methods: :weight)
end
def comments
@annotation = Legislation::Annotation.find(params[:annotation_id])
@comment = @annotation.comments.new
end
def new
respond_to do |format|
format.js
end
end
def new_comment
@draft_version = Legislation::DraftVersion.find(params[:draft_version_id])
@annotation = @draft_version.annotations.find(params[:annotation_id])
@comment = @annotation.comments.new(body: params[:comment][:body], user: current_user)
if @comment.save
@comment = @annotation.comments.new
end
respond_to do |format|
format.js { render :new_comment }
end
end
private
def annotation_params
params
.require(:legislation_annotation)
.permit(:quote, :text, ranges: [:start, :startOffset, :end, :endOffset])
end
def track_event
ahoy.track "legislation_annotation_created".to_sym,
"legislation_annotation_id": @annotation.id,
"legislation_draft_version_id": @draft_version.id
end
def convert_ranges_parameters
annotation = params[:legislation_annotation]
if annotation && annotation[:ranges] && annotation[:ranges].is_a?(String)
params[:legislation_annotation][:ranges] = JSON.parse(annotation[:ranges])
end
rescue JSON::ParserError
end
end
Reference in New Issue View Git Blame Copy Permalink