From 1deac61185c147d9c7e1a1e5d4f7e65d59811c73 Mon Sep 17 00:00:00 2001 From: Andrew Kane Date: Tue, 17 Mar 2020 17:57:22 -0700 Subject: [PATCH] Raise error on unpermitted parameters --- lib/searchkick/relation.rb | 11 +++++++++++ test/relation_test.rb | 18 ++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/lib/searchkick/relation.rb b/lib/searchkick/relation.rb index 8723a86..bbc80a4 100644 --- a/lib/searchkick/relation.rb +++ b/lib/searchkick/relation.rb @@ -29,6 +29,8 @@ module Searchkick end def where!(opts) + opts = sanitize_opts(opts) + if options[:where] options[:where] = [{_and: [options[:where], opts]}] else @@ -55,6 +57,15 @@ module Searchkick private + def sanitize_opts(attributes) + if attributes.respond_to?(:permitted?) + raise ActiveModel::ForbiddenAttributesError if !attributes.permitted? + attributes.to_h + else + attributes + end + end + def execute Query.new(klass, term, options).execute end diff --git a/test/relation_test.rb b/test/relation_test.rb index 31e019f..fa54667 100644 --- a/test/relation_test.rb +++ b/test/relation_test.rb @@ -3,11 +3,25 @@ require_relative "test_helper" class RelationTest < Minitest::Test def test_works store_names ["Product A", "Product B"] - p Product.search("product", relation: true).where(name: "Product A").limit(1) + relation = Product.search("product", relation: true).where(name: "Product A").limit(1) + assert_equal ["Product A"], relation.map(&:name) end def test_no_term store_names ["Product A"] - p Product.search(relation: true) + assert_equal ["Product A"], Product.search(relation: true).map(&:name) + end + + def test_parameters + skip unless defined?(ActiveRecord) + require "action_controller" + + params = ActionController::Parameters.new({store_id: 1}) + assert_raises(ActiveModel::ForbiddenAttributesError) do + Product.where(params) + end + assert_raises(ActiveModel::ForbiddenAttributesError) do + Product.search(relation: true).where(params) + end end end -- libgit2 0.21.0