Raise error on unpermitted parameters

Andrew Kane
1 parent 29fb8774
Showing 2 changed files with 27 additions and 2 deletions Show diff stats
lib/searchkick/relation.rb
test/relation_test.rb
@@ -29,6 +29,8 @@ module Searchkick
     end
  
     def where!(opts)
+      opts = sanitize_opts(opts)
+
       if options[:where]
         options[:where] = [{_and: [options[:where], opts]}]
       else
@@ -55,6 +57,15 @@ module Searchkick
  
     private
  
+    def sanitize_opts(attributes)
+      if attributes.respond_to?(:permitted?)
+        raise ActiveModel::ForbiddenAttributesError if !attributes.permitted?
+        attributes.to_h
+      else
+        attributes
+      end
+    end
+
     def execute
       Query.new(klass, term, options).execute
     end
@@ -3,11 +3,25 @@ require_relative &quot;test_helper&quot;
 class RelationTest < Minitest::Test
   def test_works
     store_names ["Product A", "Product B"]
-    p Product.search("product", relation: true).where(name: "Product A").limit(1)
+    relation = Product.search("product", relation: true).where(name: "Product A").limit(1)
+    assert_equal ["Product A"], relation.map(&:name)
   end
  
   def test_no_term
     store_names ["Product A"]
-    p Product.search(relation: true)
+    assert_equal ["Product A"], Product.search(relation: true).map(&:name)
+  end
+
+  def test_parameters
+    skip unless defined?(ActiveRecord)
+    require "action_controller"
+
+    params = ActionController::Parameters.new({store_id: 1})
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Product.where(params)
+    end
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Product.search(relation: true).where(params)
+    end
   end
 end
...	...	@@ -29,6 +29,8 @@ module Searchkick
29	29	end
30	30
31	31	def where!(opts)
	32	+ opts = sanitize_opts(opts)
	33	+
32	34	if options[:where]
33	35	options[:where] = [{_and: [options[:where], opts]}]
34	36	else
...	...	@@ -55,6 +57,15 @@ module Searchkick
55	57
56	58	private
57	59
	60	+ def sanitize_opts(attributes)
	61	+ if attributes.respond_to?(:permitted?)
	62	+ raise ActiveModel::ForbiddenAttributesError if !attributes.permitted?
	63	+ attributes.to_h
	64	+ else
	65	+ attributes
	66	+ end
	67	+ end
	68	+
58	69	def execute
59	70	Query.new(klass, term, options).execute
60	71	end
...	...
...	...	@@ -3,11 +3,25 @@ require_relative "test_helper"
3	3	class RelationTest < Minitest::Test
4	4	def test_works
5	5	store_names ["Product A", "Product B"]
6		- p Product.search("product", relation: true).where(name: "Product A").limit(1)
	6	+ relation = Product.search("product", relation: true).where(name: "Product A").limit(1)
	7	+ assert_equal ["Product A"], relation.map(&:name)
7	8	end
8	9
9	10	def test_no_term
10	11	store_names ["Product A"]
11		- p Product.search(relation: true)
	12	+ assert_equal ["Product A"], Product.search(relation: true).map(&:name)
	13	+ end
	14	+
	15	+ def test_parameters
	16	+ skip unless defined?(ActiveRecord)
	17	+ require "action_controller"
	18	+
	19	+ params = ActionController::Parameters.new({store_id: 1})
	20	+ assert_raises(ActiveModel::ForbiddenAttributesError) do
	21	+ Product.where(params)
	22	+ end
	23	+ assert_raises(ActiveModel::ForbiddenAttributesError) do
	24	+ Product.search(relation: true).where(params)
	25	+ end
12	26	end
13	27	end
...	...