Bump ransack from 3.2.1 to 4.0.0 #3235
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
murny
force-pushed
the
upgrade-ransack-to-v4
branch
from
fa560da
to
d2cc28d
Compare
murny
commented
Sep 20, 2023
| end | ||
|
|
||
| def self.ransackable_associations(_auth_object = nil) | ||
| ['user'] |
There was a problem hiding this comment.
We have an association here as we use user_name which allows sorting on the User association name attribute
murny
commented
Sep 20, 2023
| @@ -3,7 +3,7 @@ | |||
| <tr> | |||
| <th><%= sort_link(@search, :message, t('.messsage')) %></th> | |||
| <th><%= sort_link(@search, :user_name, t('.creator')) %></th> | |||
| <th><%= sort_link(@search, :posted_at, t('.posted_at')) %></th> | |||
| <th><%= sort_link(@search, :created_at, t('.posted_at')) %></th> | |||
There was a problem hiding this comment.
Believe this was a bug? We have no column on Announcements for posted_at? I assume this should be created_at instead.
This basically wasn't doing anything before. Now its properly sorting by created at:
app | Announcement Load (2.1ms) SELECT "announcements".* FROM "announcements" WHERE "announcements"."removed_at" IS NOT NULL ORDER BY "announcements"."created_at" ASC LIMIT $1 OFFSET $2 [["LIMIT", 10], ["OFFSET", 0]]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
The hardest part of this v4.0.0 upgrade was they forced you to require explict allowlisting of attributes and associations in your models for Ransack for added security. The PR for this was here: activerecord-hackery/ransack#1400
Basically we just have explicitly provide what columns and associations you can use in Ransack for your model like so:
Note: Ransack is only used in our admin dashboard and on 3 screens as of today. The Batch Ingest, User and Announcement index admin screens. All these are working with these changes (even found a bug which is now fixed!). So this upgrade is relatively safe.
Bumps ransack from 3.2.1 to 4.0.0.
Release notes
Sourced from ransack's releases.
... (truncated)
Changelog
Sourced from ransack's changelog.
Commits
dbffa8bRelease 4.0.0 (#1402)2922e33Require explict allowlisting of attributes and associations (#1400)784e600Bump http-cache-semantics from 4.1.0 to 4.1.1 in /docs (#1401)fc4b83dAdd support for default predicates (#1384)d658628Merge pull request #1398 from activerecord-hackery/bump-deps14a17a8Upgrade recursive-readdir to 2.2.3ab6fa2dUpgrade serve-handler to 6.1.5555d558Prevent changing host through params (#1391)cb712fdBump ua-parser-js from 0.7.31 to 0.7.33 in /docs (#1397)5778eb7Bump json5 from 2.2.1 to 2.2.3 in /docs (#1390)